[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux rant, compressed version (Was Re: kernels won't boot)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Zeuthen wrote:
> On Thu, 2008-01-03 at 17:07 -0500, Daniel J Walsh wrote:
>> Well there are several problems with allowing the individual maintainers
>> manage their own policy.
>>
>> #1 they won't.
>> #2 when they do, they do a very bad job of it.  Or basically just end up
>> with unconfined_t.
>> #3 The tools are too slow.  Having 100 semodule -i will cause the
>> installation to take for ever.
>> #4 Interaction between confined domains does not work well when multiple
>>   maintainers writing policy.
>> sendmail, procmail, spamassassin, clamav, postfix, qmail, mailserver,
>> pyzor ... All interact in very complex ways.
>> #5 conflicts on file_context directories/files
> 
> See.. cause and effect.. #1 and #2 are the effects of #3 and the fact
> that the policy is way too big and the whole system is way too
> complicated.
> 
> Besides.. I have asked probably more than ten times (both electronically
> and in person) about maintaining the selinux policy for hal in the
> _upstream_ tarball but I've always been told that it's not possible or
> I've been told to wait. In the meantime it's business as usual; things
> are broken and people turn off SELinux.
> 
> Here's a challenge:  Send me a patch against the hal git repo and the
> RPM spec with the SELinux bits... Then I'll be happy to maintain it;
> including spending time on learning SELinux well enough to do a good
> job. Is this even possible? Should it be possible?
> 
>> David, You are writing an application that is trying to do things on
>> behalf of the user as root.  These activities will cause conflicts and
>> need to be well controlled.  So you are likely to run into problems with
>> SELinux.
> 
> Sigh. Do you really honestly think this is a good answer for upstream
> maintainers that are _willing_ to help?
> 
>      David
> 
> 
I have build a spec file and included the current rawhide sources for
both policy kit and hal.  As soon as you are ready to ship them I will
move them to update status in the selinux-policy package.

If you need help building the  policy or writing policy, please you
know how to reach me.  :^)

If other maintainers are interested in shipping their own policy, I will
make it available.

Dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeHhcQACgkQrlYvE4MpobNGwACgnBukrbuALtgu8/M3Uy1gB3Y4
SrkAn0kM5y0IeGosdRrs9JoTebino+Px
=H2NC
-----END PGP SIGNATURE-----

Attachment: hal-policy.tgz
Description: application/compressed-tar

Attachment: hal-policy.tgz.sig
Description: Binary data


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]