Kevin Kofler wrote:
dragoran <drago01 <at> gmail.com> writes:
David Woodhouse wrote:
[...]
*SElinux*,
[..]
thx for mentioning this I suggest that any package that create avcs
should not pass a review. We have suchs packages in extras and nothing
in the review process takes care of selinux integration which is wrong.
So you want to force reviewers to run with SELinux enabled? That's going to
reduce the number of reviewers significantly and increase the load on the
review queue even more. I for one have SELinux disabled (completely, so I don't
get even permissive AVCs) and I'm surely not the only one. Reviewing is already
tedious enough as it stands (it took me over an hour to review Strigi, and it
already had some quick pre-review comments by Rex Dieter and me). (It does work
though, for example I caught some plugin .so files being mistaken for symlinks
and thus accidentally shipped in strigi-devel rather than in the main strigi
package, that would definitely have broken things for the end user. So I'm not
complaining about the current process, just about your suggestion to add that
SELinux requirement.)
Kevin Kofler
I think the point being is that someone should test with SELinux
enabled. (Especially the packager.) Having these packages go out and
blowing up on an SELinux enabled system, causes me no end of
headaches. I would like to see the guidelines eventually state that
any network facing daemon would come with an SELinux policy for it. But
requiring the app to at least start and stop and maybe run a few
rudimentary tests with SELinux in enforcing mode.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
