On 15 Jun 2016 16:34, "Matthew Miller" <mattdm@xxxxxxxxxxxxxxxxx> wrote:
>
> On Wed, Jun 15, 2016 at 05:08:07PM +0200, Alexander Larsson wrote:
> > Snappy fundamentally relies on apparmour to do confinement (i.e. it
> > doesn't use filesystem namespaces like flatpak), how does this work on
> > fedora? You can't use selinux and apparmour at the same time, so this
> > shouldn't be able to work, unless they disable the containment feature.
>
> As I understand it, that's exactly what they do — there's a new
> "--disable-confinement" flag which is used¹. Additionally the COPR
> instructions² ask users to switch SELinux to permissive mode for F24
> (but note that "this restriction will be lifted later).
>
>
> 1. http://copr-dist-git.fedorainfracloud.org/cgit/zyga/snapcore/snap-confine.git/tree/snap-confine.spec?id=09ccbb9f0537e2f519b18c8d8ef5613f1cabf5cc
> 2. https://copr.fedorainfracloud.org/coprs/zyga/snapcore/
Considering how this actively negates the security of our distribution and how this is being promoted in the media, with them pointing to the snapcraft site and the instructions there with COPR looking like it's on approved Fedora infrastructure (for those who don't understand anyone can COPR and there is no review) I honestly wonder if this is a good case for pulling a COPR repo...
Would FESCO have authority here or is that going to be inadvisable a road?
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
