[Fedora-packaging] SELinux testing

Paul Howarth paul at city-fan.org
Sun Sep 10 08:36:53 UTC 2006


On Sat, 2006-09-09 at 11:15 -0500, Steven Pritchard wrote:
> On Fri, Sep 08, 2006 at 04:50:44PM -0400, James Morris wrote:
> > 7. If for some reason, #2 is not possible, and the release of the package 
> > is important enough to warrant disabling a core security feature of the 
> > OS:
> > 
> > 7a. Make a note of the bugzilla # from (1) in the rpm info, cvs commit and
> > release notes, with an explanation.  Also include a standardized
> > disclaimer in the rpm info which advises the user of the security risks
> > arising from disabling SELinux.  This should only happen in truly
> > exceptional cases.  I'm not sure how we can reliably notify users that
> > SELinux can be re-enabled again, and whether they'll tolerate the entire
> > fs being relabeled on reboot.  Really, this just should not happen.
> 
> Can the policy for one application be turned off?  (I honestly don't
> know...  I haven't been able to justify spending the time to really
> wrap my brain around SELinux yet.)

This is usually possible, by setting the xxx_disable_trans SELinux
boolean, service xxx doesn't transition from the unconfined domain and
effectively runs with SELinux protection turned off.

> If not, that seems like a major flaw.  It seems to me that if a user
> could just toggle off checks for a particular application (and reboot,
> I would assume) and have everything work well enough, there would be
> an incentive to fix the one application to work with SELinux instead
> of just turning off SELinux entirely.

Reboot isn't necessary; restarting the service should suffice.

Paul.




More information about the packaging mailing list