[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux rant, compressed version (Was Re: kernels won't boot)

On Thu, 2008-01-03 at 15:48 -0500, Jesse Keating wrote:
> On Thu, 03 Jan 2008 15:43:26 -0500
> David Zeuthen <david fubar dk> wrote:
> >    Typical responses:
> >      - "rpm cannot handle SELinux policy": <- bullshit; it's not much
> >        different from other file meta data; do we store file modes and
> >        permissions centrally too? No.
> I don't know where you're getting this "typical" response from.  The
> problem isn't rpm, the problem is selinux itself, not allowing rpm to
> write out files that have a context it doesn't know about (yet), since
> the context may be in the policy it's laying down.  Think chroots or
> anaconda or livecreation.  Until the selinux upstream gets a clue
> on this one we're stuck.  It's not like people haven't been arguing
> this point for many many years now...

Sure, granted. I wasn't really ranting at the .rpm or .deb people here.

(However, no one prevents you from using SELinux in permissive mode
during installs or live cd creation and then relabel the fs at the end.
Heck at least for the latter I'm pretty sure you can't even use
enforcing mode because the SELinux policy is so draconian as part of
it's complexity)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]