Smoothening SELinux Devel During F9 Cycle

Warren Togami wtogami at
Thu Nov 8 22:31:30 UTC 2007

I just spoke at length with dwalsh about ways we can smoothen 
testing/development of SELinux during the F9 cycle.  Here are ideas that 
we came up with.

NOTE: I was wrong in believing that new things were confined late in the 
F8 cycle.  Dan said new things were confined even before Test1, just 
nobody noticed until late.  He said new things actually aren't confined 
very often.  He did however take responsibility for the -42 mistake, 
which caused great distress during the past freeze.

These two rules should help to smoothen this out for the next cycle.

RULE #1:
When new confines happen (or anything causing the default rules to be 
more restrictive), Dan will write up an e-mail summary describing the 
new restrictions and notify fedora-devel-announce.  This is to set 
expectations and make it easier for people to test for breakage and 
submit reports to fine tune the selinux-policy.  If we reach the final 
freeze and a confined application is still broken, we can consider 
unconfining it.

RULE #2:
During the freeze period when rel-eng reviews and allows/denies changes, 
Dan will write more explicit %changelog entries and poke rel-eng@ when 
he wants a build to be included.  The %changelog entries should make it 
easier to test the changes and to make a determination whether we want 
to allow it in the release.

Grow Awareness
Additionally, we need to do more training/blog announcements/etc both to 
Red Hat engineers and Fedora developers to not be so afraid of SELinux. 
  I know that I personally became a lot more comfortable with running 
with enforcing mode only after he sat down and showed me how easy it is 
to use audit2allow -M.  We need to do more promotion of these VERY BASIC 
SKILLS and how to file a proper AVC bug report.

All developers need to be comfortable about running with enforcing mode, 
to help to fix the SELinux rules rather than live in denial.

(Lame pun?)

Warren Togami
wtogami at

More information about the fedora-devel-list mailing list