How vulnerable can it be?
Jim Cornette
fc-cornette at insight.rr.com
Sat Jun 24 03:04:19 UTC 2006
Peter Gordon wrote:
> Jim Cornette wrote:
>>> [2] SELinux set to enforced
>> It is safer for correct install to set SELinux to permissive during
>> updates. There could be issues with %post and %pre scriptlets when
>> running rpm, yum or other dep solver/installers.
>
> Would you expand on this a bit please? Every Fedora install I've done
> since I resumed it as my distro of choice soon after FC4's release has
> been with the targeted policy running in Enforcing mode, and I've had no
> noticable errors with RPM scriptlets. Thanks.
>
>
Throughout participation with rawhide and also reading earlier postings
regarding problems with scriptlets failing with yumex, I do not want to
continually police my system for duplicate rpm listings, missing files
from rpms or wrong permissions set on files.
When the policies are setup correctly, scriptlets are not a problem
related to SELinux influences. When the SELinux policies are not set
correctly, updating resembles any threat that you are trying to prevent
from happening.
For my personal encounter with selinux in enforcing during upgrade.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177883
Also, we discussed duplicate packages causing errors on the development
list. Steve Grubb worked out with others feedback on the list a script
that can be run and detects duplicate or mismatched packages. It makes
allowances for kernel and public keys to not show in the output.
I posted it on the fedoraproject.org wiki
http://fedoraproject.org/wiki/JimCornette?action=AttachFile&do=get&target=sg-dupes-mv.sh
I have selinux in enforcing when not updating. I do sometimes forget to
put SELinux in permissive until after the update. Running the script
above, I get one multirevision of an rpm as listed below.
~/sg-dupes-mv.sh
Searching for duplicates
Duplicates were found:
librsvg2-2.15.0-1
librsvg2-2.15.0-3
I tried to not blame anything on SELinux by backing down to "safer" for
terminology vs. "I would not update when in enforcing mode", which is a
personal choice for me.
Jim
--
A team effort is a lot of people doing what I say.
-- Michael Winner, British film director
More information about the fedora-list
mailing list