selinux breaks revisor
Casey Dahlin
cjdahlin at ncsu.edu
Tue Jan 22 16:49:50 UTC 2008
Valent Turkovic wrote:
> 2008/1/22 Jesse Keating <jkeating at redhat.com>:
>
>> On Tue, 22 Jan 2008 13:29:03 +0100
>> "Valent Turkovic" <valent.turkovic at gmail.com> wrote:
>>
>>
>>> I tested revisor and wanted to make an up to date version of Fedora 8
>>> Live CD - but selinux put a stop to that.
>>>
>> Selinux is not going to work at all for things like revisor (and
>> pungi/livecd-creator). Both make use of chroots to install packages
>> into, and in certain cases you can wind up causing lots of harm to your
>> host system (installing a new policy in the chroot will actually cause
>> that policy to activate on the running kernel and then you have policy
>> that doesn't match labels, watch the fun!).
>>
>> It is strongly recommended that you disable SELinux or at least put it
>> in permissive if you're going to be doing composes.
>>
>
> Is there a was to make selinux aware of that or atleast put a
> notification window saying that you need to disable selinux in order
> to use revisor?
> One more issue for removing selinux as I said in an earlier thread :)
> Selinux breaks features by desing and in a bad way, and I as a user
> see more trouble from selinux than it is worth (just MHO).
>
> Valent.
>
>
>
This all started when open source coders heard proprietary vendors
insisting bugs were features, and they got so sick of it that in
retaliation they wrote a program to insist that features were bugs :)
selinux is a good thing, but the problem is most of the time users
aren't aware of it when its working properly. Few users are ever going
to see selinux stop a real vulnerability. That's just the nature of the
vulnerabilities themselves. They're rare.
--CJD
More information about the fedora-devel-list
mailing list