Expectation Management for Test Releases

Gene C. czar at czarc.net
Wed Apr 21 09:44:25 UTC 2004 

On Tuesday 20 April 2004 23:28, Jeremy Katz wrote:
> On Tue, 2004-04-20 at 18:01, Gene C. wrote:
> > So, my question:  For FC2 final (and really Test3 also), should those of
> > us interested in selinux and willing to put up with some problem continue
> > to install it enabled?  If policy is going to be redesigned, is this
> > worth the effort.  Naturally, any bugs found in FC2T3 would be reported
> > but I am not sure anyone will have time to address them.  Furthermore, if
> > the plan is to redesign things post FC2 (planned for FC3 I assume),
> > little attention will be given to bugs in this old mechanism.
>
> Yes, we very much strongly encourage those who are very interested in
> SELinux and comfortable enough to work with it to continue installing
> with it enabled and in enforcing mode as well as continue to help us
> work out the problems as they're discovered.  That's why we're leaving
> the possibility of enabling it there.  

OK, I will continue installing enforcing although I may hedge my bets and do 
some testing with selinux disabled also (to make sure all applications I 
really need to work do work).

I just wanted to make sure that any new problems involving policy in with 
FC2T3 or FC2-final will at least be looked at ... no use testing this stuff 
if problems will be ignored.

>
> It's just that it's not ready for the masses to consume yet, and in
> doing so, we'd just end up with a Fedora Core release that was less
> stable and with many apparent bugs due to SELinux.  We'll probably go
> through this again with FC3 where I plan to return things to enforcing
> by default in the development tree very soon after the release of FC2.

Yes, it does not help either Fedora or SELinux to get a "bad name" because 
there was not enough time left to get everything working.

>
> As far as redesign of policy, there's discussion around developing a
> less strict policy, ie, one that allows users in general to do things
> but takes the approach of locking down specific services.  But the hope
> is to do this in such a way that you can trivially switch back and forth
> between the policies with a simple toggle and thus any testing on the
> stricter policy we have now will still be quite useful.  Think of it
> along the lines of the old Medium vs High firewall distinction.

Mmm ... In Jeff Johnson's message 
http://www.redhat.com/archives/fedora-selinux-list/2004-April/msg00268.html
he implies there there will be some redesign of how policy is implemented 
("the entire mechanism is gonna be scrapped and redone") ... at least that is 
my understanding of what he said.  The current situation with a single policy 
package (resulting in policy and policy-sources runtime packages) which 
covers everything does not address packages outside of Fedora Core very well.  
If an Extra or 3rd party package adds some policy definitions (to 
policy-courses files), does the policy get rebuilt by the Extra/3rd-party 
package?  This would require every system to include policy-sources and the 
other packages necessary to rebuild the policy from source rules.

It is this "redesign" that I was wondering about.  Will enough attention be 
paid to problems with the existing policy ... will there be sufficient time 
available to allow developers the time to do any redesign if they need to 
look at fixing problems?  Or, will existing problems be ignored in the 
interest of working on the redesign?

This is NOT intended as a flame of any kind but the track record of addressing 
existing problems is not good.  My own experience (on FC1) with gnome-panel 
(draw problem) and gftp is that with upstream fixes available, official 
packages took far too long to be reasonable (See discussions about old bugs 
on the fedora-devel-list).  If selinux/policy bug reports will be addressed 
(not necessarily solved), then I will continue trying to work with 
enforcing=1.  However, I do worry about the commitment to addressing bugs 
versus redesigning things.  I am an engineer and can certainly understand 
that it can be much more fun to work on a new design which just does not have 
the problems of a current implementation rather than fixing problems in the 
current implementation.
-- 
Gene

More information about the fedora-test-list mailing list