[Ovirt-devel] [PATCH server] fix selinux disable command during installer

[Perry Myers]

Jeremy Katz wrote:
> On Friday, February 06 2009, Perry Myers said:
>> Jeremy Katz wrote:
>>> On Thursday, February 05 2009, Joey Boggs said:
>>>> This fixes an issue seen in the appliance during boot/buildtime, I've 
>>>> been able to reproduce only a few times but needed to be fixed 
>>>> anyways
>>> Wait, why are we disabling SELinux?
>> Calm down, don't overreact :)
>>
>> It has always been disabled on the oVirt appliance.  We haven't had the  
>> time to work through the various issues that appear when it is enabled 
>> yet.
> 
> And by just having it disabled, you don't make the issues appear and so
> no one sees them and no one looks at it.  Permissive at least means that
> avcs are available for people to start looking through and getting fixes

I've got no problem with enabled/permissive.  Joey, can you amend your 
patch to do this?

>> It's certainly on our plan to turn it on, resolve the issues, and proceed 
>> forward.  In fact, for the oVirt Node we've already done this.  But the  
>> appliance was less of a concern because it is only meant for demos.
>>
>> Where it is more important to get SELinux working is on bare metal server 
>> installations.  And I believe that Joey and other folks will be working 
>> on making sure that with SELinux enabled and targeted, that all of the 
>> core oVirt services will work properly.
> 
> The thing is that it should actually be _easier_ with the appliance case
> because you're more constrained in what the "machine" is doing.  The
> bare metal server is, conceivably, doing more and so you need to not
> conflict with other policy decisions.

Agreed, and I think we'll initially tackle the problem using the appliance 
as a testbed.  I was just pointing out that the appliance isn't going to 
be considered a production tool just to remind people in general :)

Perry