Request to re-add option to disable SELinux
James Morris
jmorris at namei.org
Thu Jul 3 13:53:16 UTC 2008
On Thu, 3 Jul 2008, Dave Airlie wrote:
> That's all nice and all, but really SELinux on by default has never
> worked on a Fedora gold release, there is always some path through some
> program that didn't get tested, how about you guys try and come up with
> a way to solve those problems in advance or at least give developers
> some tools so regressions in SELinux policy can be tracked.
>
> Like we have rpmdiff and that other internal rpm thingy for RHEL,
> perhaps SELinux team could construct a similiar tool that says your new
> package is going to violate policy where your old package didn't.
I'm not sure that's feasible -- if it were that simple, the policy would
write itself. Possibly something can be done, but it won't make up for
lack of testing. I know of several major packages which cannot possibly
have been tested with SELinux before being shipped.
Even if all people do is enable SELinux for ten minutes at some stage
prior to release, and file the audit logs into a bz, that would probably
fix most of these issues.
Perhaps we should be thinking in terms of establishing the practice of
developers doing all development with SELinux enabled and in enforcing
mode, providing tools to support that. e.g. implement a wrapper for
automated policy module generation for devel use only, and the developer
submits the generated module to the SELinux team at some point, like
during an alpha release, and an "official" policy module is developed from
that and committed to rawhide. i.e. incorporate SELinux policy
development into the overall development process with the package
developers involved from the start and getting assistance from the
SELinux folk.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-devel-list
mailing list