On Thu, 3 Jul 2008, Dave Airlie wrote: > That's all nice and all, but really SELinux on by default has never > worked on a Fedora gold release, there is always some path through some > program that didn't get tested, how about you guys try and come up with > a way to solve those problems in advance or at least give developers > some tools so regressions in SELinux policy can be tracked. > > Like we have rpmdiff and that other internal rpm thingy for RHEL, > perhaps SELinux team could construct a similiar tool that says your new > package is going to violate policy where your old package didn't. I'm not sure that's feasible -- if it were that simple, the policy would write itself. Possibly something can be done, but it won't make up for lack of testing. I know of several major packages which cannot possibly have been tested with SELinux before being shipped. Even if all people do is enable SELinux for ten minutes at some stage prior to release, and file the audit logs into a bz, that would probably fix most of these issues. Perhaps we should be thinking in terms of establishing the practice of developers doing all development with SELinux enabled and in enforcing mode, providing tools to support that. e.g. implement a wrapper for automated policy module generation for devel use only, and the developer submits the generated module to the SELinux team at some point, like during an alpha release, and an "official" policy module is developed from that and committed to rawhide. i.e. incorporate SELinux policy development into the overall development process with the package developers involved from the start and getting assistance from the SELinux folk. - James -- James Morris <jmorris@xxxxxxxxx> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
