Re: GCL and SELinux: help requested

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/13/2017 02:07 PM, Jerry James wrote:
> On Sat, Oct 7, 2017 at 9:34 AM, Jerry James <loganjerry@xxxxxxxxx> wrote:

...snip...

> But that's not the end of the fun.  GCL failed the mass rebuild this
> summer.  It built successfully on every architecture but s390x.  On
> s390x, the build failed due to a failed call to mprotect(), almost
> certainly a sign that SELinux was in enforcing mode on the builder.
> Was that a known issue with s390x builders?  And, if so, has it been
> rectified since?  If so, I'll try building again.

The default config for all our builders is selinux permissive. Mostly
because we have never had enough cycles to track down any problems with
making them enforcing.

However, I just checked and the s390x builders _were_ in enforcing mode.
;( They are not installed like all the rest of our builders (via
kickstarts), but via a install image the mainframe admins made for us.
Sorry this wasn't noticed until now. ;(

I've set them all in permissive and tweaked our ansible playbooks to
make sure all of them stay that way.

> I still want the system policy to account for GCL, in some way or
> another.  But, as you can see from the quoted text above, submitting a
> pull request to the relevant git repository has resulted in months of
> <crickets chirping>.  And pointing that out on this list last weekend
> has resulted in still more of the crickets.
> 
> So ... what is a packager supposed to do????  Why is it so hard to get
> any attention for submissions to the system SELinux policy?  There
> should be a barrier to entry; I understand that.  But I can't even get
> the gatekeeper to have a conversation with me.  Heeeeellllllppppp!!!
> 
> Frustratedly yours,

I don't know. Others have expressed frustration with selinux policy
maintainers of late as well. It's really hard to say what the trouble
is... are there to few of them? Overtasked with other work? Workflow too
difficult? Perhaps we can get FESCO or someone to work with them and try
and come up with a more open and working workflow. I'm not sure what the
answer is here.

kevin

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux