[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux breaks revisor



Valent Turkovic wrote:
2008/1/22 Jesse Keating <jkeating redhat com>:
On Tue, 22 Jan 2008 13:29:03 +0100
"Valent Turkovic" <valent turkovic gmail com> wrote:

I tested revisor and wanted to make an up to date version of Fedora 8
Live CD - but selinux put a stop to that.
Selinux is not going to work at all for things like revisor (and
pungi/livecd-creator).  Both make use of chroots to install packages
into, and in certain cases you can wind up causing lots of harm to your
host system (installing a new policy in the chroot will actually cause
that policy to activate on the running kernel and then you have policy
that doesn't match labels, watch the fun!).

It is strongly recommended that you disable SELinux or at least put it
in permissive if you're going to be doing composes.

Is there a was to make selinux aware of that or atleast put a
notification window saying that you need to disable selinux in order
to use revisor?
One more issue for removing selinux as I said in an earlier thread :)
Selinux breaks features by desing and in a bad way, and I as a user
see more trouble from selinux than it is worth (just MHO).

Valent.


This all started when open source coders heard proprietary vendors insisting bugs were features, and they got so sick of it that in retaliation they wrote a program to insist that features were bugs :)

selinux is a good thing, but the problem is most of the time users aren't aware of it when its working properly. Few users are ever going to see selinux stop a real vulnerability. That's just the nature of the vulnerabilities themselves. They're rare.

--CJD


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]