selinux breaks revisor

John Dennis jdennis at redhat.com
Tue Jan 22 17:24:50 UTC 2008


Valent Turkovic wrote:
> 2008/1/22 Jesse Keating <jkeating at redhat.com>:
>> On Tue, 22 Jan 2008 13:29:03 +0100
>> "Valent Turkovic" <valent.turkovic at gmail.com> wrote:
>>
>>> I tested revisor and wanted to make an up to date version of Fedora 8
>>> Live CD - but selinux put a stop to that.
>> Selinux is not going to work at all for things like revisor (and
>> pungi/livecd-creator).  Both make use of chroots to install packages
>> into, and in certain cases you can wind up causing lots of harm to your
>> host system (installing a new policy in the chroot will actually cause
>> that policy to activate on the running kernel and then you have policy
>> that doesn't match labels, watch the fun!).
>>
>> It is strongly recommended that you disable SELinux or at least put it
>> in permissive if you're going to be doing composes.
> 
> Is there a was to make selinux aware of that or atleast put a
> notification window saying that you need to disable selinux in order
> to use revisor?

Revisor could be aware of SELinux and provide a warning, SELinux cannot 
do this.

> One more issue for removing selinux as I said in an earlier thread :)
> Selinux breaks features by desing and in a bad way, and I as a user
> see more trouble from selinux than it is worth (just MHO).

Your dissatisfaction with SELinux has been duly noted by the list, you 
are free to disable it. However, we would prefer contributions to make 
the distribution more robust and smooth out the bumps rather than 
disabling the technology. Your choice.

-- 
John Dennis <jdennis at redhat.com>




More information about the fedora-devel-list mailing list