On Sat, 2006-09-09 at 11:15 -0500, Steven Pritchard wrote: > On Fri, Sep 08, 2006 at 04:50:44PM -0400, James Morris wrote: > > 7. If for some reason, #2 is not possible, and the release of the package > > is important enough to warrant disabling a core security feature of the > > OS: > > > > 7a. Make a note of the bugzilla # from (1) in the rpm info, cvs commit and > > release notes, with an explanation. Also include a standardized > > disclaimer in the rpm info which advises the user of the security risks > > arising from disabling SELinux. This should only happen in truly > > exceptional cases. I'm not sure how we can reliably notify users that > > SELinux can be re-enabled again, and whether they'll tolerate the entire > > fs being relabeled on reboot. Really, this just should not happen. > > Can the policy for one application be turned off? (I honestly don't > know... I haven't been able to justify spending the time to really > wrap my brain around SELinux yet.) This is usually possible, by setting the xxx_disable_trans SELinux boolean, service xxx doesn't transition from the unconfined domain and effectively runs with SELinux protection turned off. > If not, that seems like a major flaw. It seems to me that if a user > could just toggle off checks for a particular application (and reboot, > I would assume) and have everything work well enough, there would be > an incentive to fix the one application to work with SELinux instead > of just turning off SELinux entirely. Reboot isn't necessary; restarting the service should suffice. Paul. -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
