Re: lorax - selinux limitation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Vit Ry wrote on Wed, Dec 23, 2015 at 11:31:14PM +0300:
> Keep in mind - it may be fine still you are using SELinux targeted
> policy, which is kiddy mode :D

Yes, we have some nodes in targeted mode, some nodes with MLS - I only
tried on a system with mostly-default selinux configuration, so
targeted.

> Some users (I am, for example) can use SELinux MLS policy, where you
> should write a lot of rules for every apps, so one part of lorax would
> works fine, another - do not at all, and third one - looks like work
> fine, but SELinux blocked something unusual inside lorax/installroot.

Sure, but shouldn't you be able to check and/or tell yourself?

As long as it works for default 'kiddy mode' setup then I see no problem
in enabling it by default -- even if you want to play safe, adding a
run-anyway switch doesn't cost much and probably won't bring many
bugreports asking about X fails with selinux enabled.

If you're running MLS or whatever else then you're what I would consider
and advanced user and certainly ought to be able to do whatever you want
as well.

I just don't want tools to tell me they won't even try because they
think it might possibly not work - let me please decide if it works or
not for myself!


For example, I'd be happy with a patch similar to this (+setting default
to false earlier in the file, not tested):

diff --git a/src/pylorax/__init__.py b/src/pylorax/__init__.py
index 4a41d95..60fc738 100644
--- a/src/pylorax/__init__.py
+++ b/src/pylorax/__init__.py
@@ -219,8 +219,9 @@ class Lorax(BaseLoraxClass):
         # tools need to access (/etc/group, /etc/passwd, /etc/shadow
	 etc.),
         # is wrong and selinux therefore disallows access to these
	 files.
         logger.info("checking the selinux mode")
-        if selinux.is_selinux_enabled() and selinux.security_getenforce():
-            logger.critical("selinux must be disabled or in Permissive mode")
+        if selinux.is_selinux_enabled() and selinux.security_getenforce() and self.conf.getboolean("lorax", "run-with-selinux"):
+            logger.critical("selinux is in enforced mode. This is known to cause bugs.")
+            logger.critical("If you are sure you want to try and know how to check AVCs please run again with run-with-selinux=true in the lorax section of the config file")
             sys.exit(1)
 
         # do we have a proper dnf base object?


-- 
Dominique

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux