Nicolas Mailhot wrote:
We are finished introducing new policy for additional targets at this point. We should only be fixing existing policy problems.Hans de Goede wrote:It is really not that bad, as long as you learn: -system does poof -don't panic most likely selinux * -reboot with selinux=disabled -try again after a few days without selinux=disabledIt's really that bad.If you're running half the time with selinux disabled, how are you supposed to trace when/how individual selinux problems are fixed/introduced ?
There has been a major rewrite of policy in FC5. This involved changed to all policy modules as we moved to modular policy. MCS has also been introduced and major changes to allow MLS functionality. Major changes are being introduced into the kernel all the time that effect SELinux. The problem you are seeing was the addition of labeled networking via IPSEC. I believe I have a new policy on ftp://people.redhat.com/dwalsh/SELinux (selinux-policy-targeted-2.1.12-1) which should fix your problem. Will be in Rawhide tonight. SELinux tends to be the fall guy for every other componant that changes on the system. For example if the maintainer of hal decides it needs to access a new directory and the developer is not running selinux in enforcing mode, then the new version of hal gets introduced which is broken by SELinux in enforcing mode. So it looks like SELinux is broken when in reality the problem was that the SELinux developers did not know about the change to hal. Rawhide breaks and the SELinux policy developers fix it in the next days rawhide. Not an excuse, but it is reality of the Rawhide environment. Hopefully as we get closer to shipping, these problems will lesson.
audit2allow -M module will now allow you to build your own policy modules when something breaks. This will allow you to work around problems in a sane manner.