Selinux and package guidelines
Thorsten Leemhuis
fedora at leemhuis.info
Tue May 8 05:31:37 UTC 2007
On 08.05.2007 07:03, Kevin Kofler wrote:
> dragoran <drago01 <at> gmail.com> writes:
>> David Woodhouse wrote:
>>> [...]
>>> *SElinux*,
>>> [..]
>> thx for mentioning this I suggest that any package that create avcs
>> should not pass a review. We have suchs packages in extras and nothing
>> in the review process takes care of selinux integration which is wrong.
> So you want to force reviewers to run with SELinux enabled? That's going to
> reduce the number of reviewers significantly and increase the load on the
> review queue even more. I for one have SELinux disabled (completely, so I don't
> get even permissive AVCs) and I'm surely not the only one. Reviewing is already
> tedious enough as it stands (it took me over an hour to review Strigi, and it
> already had some quick pre-review comments by Rex Dieter and me). (It does work
> though, for example I caught some plugin .so files being mistaken for symlinks
> and thus accidentally shipped in strigi-devel rather than in the main strigi
> package, that would definitely have broken things for the end user. So I'm not
> complaining about the current process, just about your suggestion to add that
> SELinux requirement.)
Kevin and David both have good points IMHO. A solution afaics might
behave some kind of (semi-)automatic SELinux testsuite running on a
testmachine somewhere where users can submit packages for testing. And a
SIG that users can ask in case of problem -- but we have a selinux
mailing list, which should be enough probably. And maybe we should
suggest somehow to packagers and reviewers to look out for SELinux
trouble (but not as MUST or SHOULD; more as a kine of "best practices"
document).
CU
thl
More information about the fedora-devel-list
mailing list