[Ovirt-devel] [PATCH server] fix selinux disable command during installer
Perry Myers
pmyers at redhat.com
Fri Feb 6 17:04:14 UTC 2009
Jeremy Katz wrote:
> On Friday, February 06 2009, Perry Myers said:
>> Jeremy Katz wrote:
>>> On Thursday, February 05 2009, Joey Boggs said:
>>>> This fixes an issue seen in the appliance during boot/buildtime, I've
>>>> been able to reproduce only a few times but needed to be fixed
>>>> anyways
>>> Wait, why are we disabling SELinux?
>> Calm down, don't overreact :)
>>
>> It has always been disabled on the oVirt appliance. We haven't had the
>> time to work through the various issues that appear when it is enabled
>> yet.
>
> And by just having it disabled, you don't make the issues appear and so
> no one sees them and no one looks at it. Permissive at least means that
> avcs are available for people to start looking through and getting fixes
I've got no problem with enabled/permissive. Joey, can you amend your
patch to do this?
>> It's certainly on our plan to turn it on, resolve the issues, and proceed
>> forward. In fact, for the oVirt Node we've already done this. But the
>> appliance was less of a concern because it is only meant for demos.
>>
>> Where it is more important to get SELinux working is on bare metal server
>> installations. And I believe that Joey and other folks will be working
>> on making sure that with SELinux enabled and targeted, that all of the
>> core oVirt services will work properly.
>
> The thing is that it should actually be _easier_ with the appliance case
> because you're more constrained in what the "machine" is doing. The
> bare metal server is, conceivably, doing more and so you need to not
> conflict with other policy decisions.
Agreed, and I think we'll initially tackle the problem using the appliance
as a testbed. I was just pointing out that the appliance isn't going to
be considered a production tool just to remind people in general :)
Perry
More information about the ovirt-devel
mailing list