Daniel J Walsh
dwalsh at redhat.com
Tue Jan 17 19:53:13 UTC 2006
Nicolas Mailhot wrote:
> Hans de Goede wrote:
>> It is really not that bad, as long as you learn:
>> -system does poof
>> -don't panic most likely selinux *
>> -reboot with selinux=disabled
>> -try again after a few days without selinux=disabled
> It's really that bad.
> If you're running half the time with selinux disabled, how are you
> supposed to trace when/how individual selinux problems are
> fixed/introduced ?
We are finished introducing new policy for additional targets at this
point. We should only be fixing existing policy problems.
There has been a major rewrite of policy in FC5. This involved changed
to all policy modules as we moved to modular policy.
MCS has also been introduced and major changes to allow MLS
functionality. Major changes are being introduced into the kernel all
the time that effect SELinux. The problem you are seeing was the
addition of labeled networking via IPSEC. I believe I have a new policy
(selinux-policy-targeted-2.1.12-1) which should fix your problem. Will
be in Rawhide tonight. SELinux tends to be the fall guy for every other
componant that changes on the system. For example if the maintainer of
hal decides it needs to access a new directory and the developer is not
running selinux in enforcing mode, then the new version of hal gets
introduced which is broken by SELinux in enforcing mode. So it looks
like SELinux is broken when in reality the problem was that the SELinux
developers did not know about the change to hal. Rawhide breaks and the
SELinux policy developers fix it in the next days rawhide. Not an
excuse, but it is reality of the Rawhide environment. Hopefully as we
get closer to shipping, these problems will lesson.
audit2allow -M module will now allow you to build your own policy
modules when something breaks. This will allow you to work around
problems in a sane manner.
More information about the fedora-devel-list