Vit Ry wrote on Wed, Dec 23, 2015 at 11:31:14PM +0300: > Keep in mind - it may be fine still you are using SELinux targeted > policy, which is kiddy mode :D Yes, we have some nodes in targeted mode, some nodes with MLS - I only tried on a system with mostly-default selinux configuration, so targeted. > Some users (I am, for example) can use SELinux MLS policy, where you > should write a lot of rules for every apps, so one part of lorax would > works fine, another - do not at all, and third one - looks like work > fine, but SELinux blocked something unusual inside lorax/installroot. Sure, but shouldn't you be able to check and/or tell yourself? As long as it works for default 'kiddy mode' setup then I see no problem in enabling it by default -- even if you want to play safe, adding a run-anyway switch doesn't cost much and probably won't bring many bugreports asking about X fails with selinux enabled. If you're running MLS or whatever else then you're what I would consider and advanced user and certainly ought to be able to do whatever you want as well. I just don't want tools to tell me they won't even try because they think it might possibly not work - let me please decide if it works or not for myself! For example, I'd be happy with a patch similar to this (+setting default to false earlier in the file, not tested): diff --git a/src/pylorax/__init__.py b/src/pylorax/__init__.py index 4a41d95..60fc738 100644 --- a/src/pylorax/__init__.py +++ b/src/pylorax/__init__.py @@ -219,8 +219,9 @@ class Lorax(BaseLoraxClass): # tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.), # is wrong and selinux therefore disallows access to these files. logger.info("checking the selinux mode") - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - logger.critical("selinux must be disabled or in Permissive mode") + if selinux.is_selinux_enabled() and selinux.security_getenforce() and self.conf.getboolean("lorax", "run-with-selinux"): + logger.critical("selinux is in enforced mode. This is known to cause bugs.") + logger.critical("If you are sure you want to try and know how to check AVCs please run again with run-with-selinux=true in the lorax section of the config file") sys.exit(1) # do we have a proper dnf base object? -- Dominique _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list