Request to re-add option to disable SELinux

[James Morris]

On Thu, 3 Jul 2008, Dave Airlie wrote:

> That's all nice and all, but really SELinux on by default has never
> worked on a Fedora gold release, there is always some path through some
> program that didn't get tested, how about you guys try and come up with
> a way to solve those problems in advance or at least give developers
> some tools so regressions in SELinux policy can be tracked.
> 
> Like we have rpmdiff and that other internal rpm thingy for RHEL,
> perhaps SELinux team could construct a similiar tool that says your new
> package is going to violate policy where your old package didn't.

I'm not sure that's feasible -- if it were that simple, the policy would 
write itself.  Possibly something can be done, but it won't make up for 
lack of testing.  I know of several major packages which cannot possibly 
have been tested with SELinux before being shipped.

Even if all people do is enable SELinux for ten minutes at some stage 
prior to release, and file the audit logs into a bz, that would probably 
fix most of these issues.

Perhaps we should be thinking in terms of establishing the practice of 
developers doing all development with SELinux enabled and in enforcing 
mode, providing tools to support that.  e.g. implement a wrapper for 
automated policy module generation for devel use only, and the developer 
submits the generated module to the SELinux team at some point, like 
during an alpha release, and an "official" policy module is developed from 
that and committed to rawhide.  i.e. incorporate SELinux policy 
development into the overall development process with the package 
developers involved from the start and getting assistance from the 
SELinux folk.


- James
-- 
James Morris
<jmorris at namei.org>