Selinux in development releases
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 25 02:10:24 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/24/2012 04:23 PM, "Jóhann B. Guðmundsson" wrote:
> On 09/24/2012 08:16 PM, drago01 wrote:
>> On Mon, Sep 24, 2012 at 10:13 PM, "Jóhann B. Guðmundsson"
>> <johannbg at gmail.com> wrote:
>>> I hereby propose that we default selinux to permissive mode up to
>>> final which should just get rid of unneeded nuance during testing.
>> -1
>>
>> This would just mean we test something different then we actually ship.
>> If there are selinux bugs they are supposed to be cough during testing
>> and reported like any other bugs.
>
> With permissive mode we should still be able to catch all those errors and
> report them without all the downside that comes with having it in enforcing
> mode during our development releases...
>
> JBG
Definitely not. Enforcing mode and Permissive mode are not equivalent.
SELinux/Permission Denied can cause things to crash. I have been working
since last week on SELinux/Systemd problems that happen in early boot, and
would only be seen in enforcing mode. For some reason avc messages were not
showup in early boot, so no one would have known about it.
Dontaudit rules can cover up messages that cause applications bugs.
We have been working with SELinux in enforcing mode for years now, why change
now. Do you have specific errors that SELinux is causing in Fedora 18?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBhEpAACgkQrlYvE4MpobOi3ACg0sP2FGp1DbfX4knGU5nArkHh
18sAoOKKA5V/VPpQdXcZO1nyxlwzEjAG
=fp0T
-----END PGP SIGNATURE-----
More information about the test
mailing list