[Fedora-packaging] SELinux testing
Bill Nottingham
notting at redhat.com
Mon Sep 11 14:02:34 UTC 2006
James Morris (jmorris at redhat.com) said:
> This guideline would request that developers test their package with
> SELinux enabled (and by this I mean in enforcing mode) and follow a simple
> procedure:
>
> 1. Ensure they have the latest SELiunx policy installed.
> 2. Boot with selinux=1 and in enforcing mode.
> 3. Perform the normal testing of their application.
> 4. Check syslog (or /var/log/audit/audit.log if audit is enabled) for AVC
> messages related to their package.
>
> If there are any bugs or AVC messages:
>
> 5. Obtain support from the SELinux team. The best way to do this I
> believe is to file a bugzilla against the selinux-policy package. They
> should note that they are a Fedora packager (and expect a high priority
> response). If SELinux is running all or most of the time, issues will be
> caught and fixed eariler in their dev cycle.
>
> 6. Don't release the package until the SELinux issue is resolved.
I'd suggest all of the following except #6 - make sure the issues are
known, give a reasonable amount of time for fixes, but not necessarily
hold until release. For example, fixes may not be backported to earlier
releases, or the SELinux changes might require kernel fixes that are
non-trivial to implement.
Bill
More information about the Fedora-packaging
mailing list