Policy Testing Procedures

Stephen Smalley sds at tycho.nsa.gov
Tue Jun 28 16:02:07 UTC 2005 

On Tue, 2005-06-28 at 10:50 -0400, Chris Bookholt wrote:
> Greetings to all,
> 
> My systems were also adversely affected (no login, etc.) by the most 
> recent policy upgrade that came from the official updates-released yum 
> repository.
> 
> What, if any, are the fedora testing procedures for SELinux policy?  I 
> know developers make mistakes, but I thought that's what the development 
> repos were for.
> 
> I don't intend to flame, but rather to express the need for testing to 
> address the recent flood of policy problems in packages coming from what 
> are supposed to be reasonably stable repos.
> 
> Since I don't see a lack of reliability in other packages coming from 
> updates-released, it makes me think that the typical 
> development->test->release cycle does not apply to SELinux policy 
> packages.  If this is the case, why?  If not, what other reason is there 
> for the lack of comparable quality?
> 
> Clearly you, the fedora SELinux policy developers, are trying hard to 
> avoid scaring users away by incrementally tightening the policies. 
> However, each time a broken policy is released as stable, you lose the 
> trust you so patiently built.
> 
> So, my message is this:
> 
> Please test.  If you already test, please test more.  Thanks for your 
> hard work and brilliant ideas; I'm a big fan of adding MAC into 
> mainstream distros.

I have nothing to do with any updates for Fedora, but my impression
(possibly wrong) was that the procedure for all Fedora updates was the
same, i.e. developer tests on his own box to whatever degree he feels
comfortable, puts the updated package into the updates-testing tree and
announces it on fedora-test-list, some subset of the Fedora community is
expected to provide testing of the update at that point, and then after
some period of time in the absence of any bug reports, puts the updated
package into the updates-released tree.  Looking at the fedora-test-list
archives, I don't see a test release of this policy update (3.13),
although oddly I do see an announcement of a 3.15 test update on the
same day.  Not sure what happened there, or if I am missing something.

I'm also not sure we understand yet what exactly happened with the
policy update.  Some users reported selective execmod denials (e.g. gpg,
acroread) that make sense in light of the changes in the policy update
and wouldn't have shown up without exercising those specific programs,
while others have reported pervasive execmod denials for the entire
system, as in the bugzilla report, that I don't understand yet, as these
should not involve text relocations at all.  Russell wasn't able to
easily reproduce on his machine. 

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list