[Ovirt-devel] [PATCH server] fix selinux disable command during installer
Jeremy Katz
katzj at redhat.com
Fri Feb 6 16:27:04 UTC 2009
On Friday, February 06 2009, Perry Myers said:
> Jeremy Katz wrote:
>> On Thursday, February 05 2009, Joey Boggs said:
>>> This fixes an issue seen in the appliance during boot/buildtime, I've
>>> been able to reproduce only a few times but needed to be fixed
>>> anyways
>>
>> Wait, why are we disabling SELinux?
>
> Calm down, don't overreact :)
>
> It has always been disabled on the oVirt appliance. We haven't had the
> time to work through the various issues that appear when it is enabled
> yet.
And by just having it disabled, you don't make the issues appear and so
no one sees them and no one looks at it. Permissive at least means that
avcs are available for people to start looking through and getting fixes
> It's certainly on our plan to turn it on, resolve the issues, and proceed
> forward. In fact, for the oVirt Node we've already done this. But the
> appliance was less of a concern because it is only meant for demos.
>
> Where it is more important to get SELinux working is on bare metal server
> installations. And I believe that Joey and other folks will be working
> on making sure that with SELinux enabled and targeted, that all of the
> core oVirt services will work properly.
The thing is that it should actually be _easier_ with the appliance case
because you're more constrained in what the "machine" is doing. The
bare metal server is, conceivably, doing more and so you need to not
conflict with other policy decisions.
Jeremy
More information about the ovirt-devel
mailing list