Selinux and package guidelines

[Daniel J Walsh]

Kevin Kofler wrote:
> dragoran <drago01 <at> gmail.com> writes:
>   
>> David Woodhouse wrote:
>>     
>>> [...]
>>>  *SElinux*,
>>> [..]
>>>       
>> thx for mentioning this I suggest that any package that create avcs 
>> should not pass a review. We have suchs packages in extras and nothing 
>> in the review process takes care of selinux integration which is wrong.
>>     
>
> So you want to force reviewers to run with SELinux enabled? That's going to 
> reduce the number of reviewers significantly and increase the load on the 
> review queue even more. I for one have SELinux disabled (completely, so I don't 
> get even permissive AVCs) and I'm surely not the only one. Reviewing is already 
> tedious enough as it stands (it took me over an hour to review Strigi, and it 
> already had some quick pre-review comments by Rex Dieter and me). (It does work 
> though, for example I caught some plugin .so files being mistaken for symlinks 
> and thus accidentally shipped in strigi-devel rather than in the main strigi 
> package, that would definitely have broken things for the end user. So I'm not 
> complaining about the current process, just about your suggestion to add that 
> SELinux requirement.)
>
>         Kevin Kofler
>
>   
I think the point being is that someone should test with SELinux 
enabled.  (Especially the packager.)  Having these packages go out and 
blowing up on an SELinux enabled system, causes me no end of 
headaches.    I would like to see the guidelines eventually state that 
any network facing daemon would come with an SELinux policy for it.  But 
requiring the app to at least start and stop and maybe run a few 
rudimentary tests with SELinux in enforcing mode.