On Fri, Sep 08, 2006 at 04:50:44PM -0400, James Morris wrote: > 7. If for some reason, #2 is not possible, and the release of the package > is important enough to warrant disabling a core security feature of the > OS: > > 7a. Make a note of the bugzilla # from (1) in the rpm info, cvs commit and > release notes, with an explanation. Also include a standardized > disclaimer in the rpm info which advises the user of the security risks > arising from disabling SELinux. This should only happen in truly > exceptional cases. I'm not sure how we can reliably notify users that > SELinux can be re-enabled again, and whether they'll tolerate the entire > fs being relabeled on reboot. Really, this just should not happen. Can the policy for one application be turned off? (I honestly don't know... I haven't been able to justify spending the time to really wrap my brain around SELinux yet.) If not, that seems like a major flaw. It seems to me that if a user could just toggle off checks for a particular application (and reboot, I would assume) and have everything work well enough, there would be an incentive to fix the one application to work with SELinux instead of just turning off SELinux entirely. BTW, my limited experience with SELinux issues with one of my packages is here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187305 The time it took to resolve that bug really should be a hint that we're not ready to require SELinux compatibility in Extras yet. Steve -- Steven Pritchard - K&S Pritchard Enterprises, Inc. Email: steve@xxxxxxxxx http://www.kspei.com/ Phone: (618)398-3000 Mobile: (618)567-7320 -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
