James Morris (jmorris@xxxxxxxxxx) said: > This guideline would request that developers test their package with > SELinux enabled (and by this I mean in enforcing mode) and follow a simple > procedure: > > 1. Ensure they have the latest SELiunx policy installed. > 2. Boot with selinux=1 and in enforcing mode. > 3. Perform the normal testing of their application. > 4. Check syslog (or /var/log/audit/audit.log if audit is enabled) for AVC > messages related to their package. > > If there are any bugs or AVC messages: > > 5. Obtain support from the SELinux team. The best way to do this I > believe is to file a bugzilla against the selinux-policy package. They > should note that they are a Fedora packager (and expect a high priority > response). If SELinux is running all or most of the time, issues will be > caught and fixed eariler in their dev cycle. > > 6. Don't release the package until the SELinux issue is resolved. I'd suggest all of the following except #6 - make sure the issues are known, give a reasonable amount of time for fixes, but not necessarily hold until release. For example, fixes may not be backported to earlier releases, or the SELinux changes might require kernel fixes that are non-trivial to implement. Bill -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
