[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Smoothening SELinux Devel During F9 Cycle

I just spoke at length with dwalsh about ways we can smoothen testing/development of SELinux during the F9 cycle. Here are ideas that we came up with.

NOTE: I was wrong in believing that new things were confined late in the F8 cycle. Dan said new things were confined even before Test1, just nobody noticed until late. He said new things actually aren't confined very often. He did however take responsibility for the -42 mistake, which caused great distress during the past freeze.

These two rules should help to smoothen this out for the next cycle.

RULE #1:
When new confines happen (or anything causing the default rules to be more restrictive), Dan will write up an e-mail summary describing the new restrictions and notify fedora-devel-announce. This is to set expectations and make it easier for people to test for breakage and submit reports to fine tune the selinux-policy. If we reach the final freeze and a confined application is still broken, we can consider unconfining it.

RULE #2:
During the freeze period when rel-eng reviews and allows/denies changes, Dan will write more explicit %changelog entries and poke rel-eng@ when he wants a build to be included. The %changelog entries should make it easier to test the changes and to make a determination whether we want to allow it in the release.

Grow Awareness
Additionally, we need to do more training/blog announcements/etc both to Red Hat engineers and Fedora developers to not be so afraid of SELinux. I know that I personally became a lot more comfortable with running with enforcing mode only after he sat down and showed me how easy it is to use audit2allow -M. We need to do more promotion of these VERY BASIC SKILLS and how to file a proper AVC bug report.

All developers need to be comfortable about running with enforcing mode, to help to fix the SELinux rules rather than live in denial.

(Lame pun?)

Warren Togami
wtogami redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]