-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Katz wrote: > On Mon, 2008-03-31 at 14:07 -0400, Eric Paris wrote: >> I know its way late but I'd like to add a new SELinux concept to the F9 >> kernels. Its going to be a backport of a couple of my changesets headed >> upstream > > As a cranky release engineering person, no no no no no no > > We have a feature freeze for a reason, the kernel doesn't get a blank > check to get past it. If it was that important, it would have been done > in time for the freeze. The next release is in six months, so it's not > like it's that long to have to wait > > Jeremy > I can go either way whether this goes in or not. The userspace updates are done, The only change would be to modify some tools to quickly build a policy module to make a domain permissive. Permissive domains is a great new feature though: If gives users the following: 1. Some Wall Street customers originally brought up the idea. They want to be able to build a policy package to confine an application and after testing destribute it to their systems as a permissive domain. Then run it for a couple of months, once they are convinced that it will not break anything, they can turn it to an enforcing domain. We could start doing similar things for new confined domains in Rawhide. 2. We have a regression reported against Fedora since Fedora 7 that complained when we removed *disable_trans booleans. These were removed because disabling a transition in one domain could effect another domain by not setting the file context correctly. So permissive domains would be a great replacement for disable_trans. 3 Finally when a user builds a new policy for a domain, we tell them to use tools to build a framework for policy and install the new domain and setup labeling. Then we tell them to put the machine in permissive mode to run the app, and gather AVCs. This change would allow you to leave your entire machine in enforcing mode while you run your new domain in permissive mode, gathering the AVCs. 4. Some times people are convinced SELinux is causing a application to break, one way we tell them to test whether SELinux is the culprit is put the machine in permissive mode and see if the app still breaks, permissive domains would give us the ability to only put one domain in permissive mode. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfxvT0ACgkQrlYvE4MpobP7GQCghAtXhGE4ivis+KELOhxqYU4t 6bUAn2T1HrtPWTE3ppu80KgCjf46nePW =sjft -----END PGP SIGNATURE----- _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-kernel-list