On Tue, 2005-06-28 at 10:50 -0400, Chris Bookholt wrote: > Greetings to all, > > My systems were also adversely affected (no login, etc.) by the most > recent policy upgrade that came from the official updates-released yum > repository. > > What, if any, are the fedora testing procedures for SELinux policy? I > know developers make mistakes, but I thought that's what the development > repos were for. > > I don't intend to flame, but rather to express the need for testing to > address the recent flood of policy problems in packages coming from what > are supposed to be reasonably stable repos. > > Since I don't see a lack of reliability in other packages coming from > updates-released, it makes me think that the typical > development->test->release cycle does not apply to SELinux policy > packages. If this is the case, why? If not, what other reason is there > for the lack of comparable quality? > > Clearly you, the fedora SELinux policy developers, are trying hard to > avoid scaring users away by incrementally tightening the policies. > However, each time a broken policy is released as stable, you lose the > trust you so patiently built. > > So, my message is this: > > Please test. If you already test, please test more. Thanks for your > hard work and brilliant ideas; I'm a big fan of adding MAC into > mainstream distros. I have nothing to do with any updates for Fedora, but my impression (possibly wrong) was that the procedure for all Fedora updates was the same, i.e. developer tests on his own box to whatever degree he feels comfortable, puts the updated package into the updates-testing tree and announces it on fedora-test-list, some subset of the Fedora community is expected to provide testing of the update at that point, and then after some period of time in the absence of any bug reports, puts the updated package into the updates-released tree. Looking at the fedora-test-list archives, I don't see a test release of this policy update (3.13), although oddly I do see an announcement of a 3.15 test update on the same day. Not sure what happened there, or if I am missing something. I'm also not sure we understand yet what exactly happened with the policy update. Some users reported selective execmod denials (e.g. gpg, acroread) that make sense in light of the changes in the policy update and wouldn't have shown up without exercising those specific programs, while others have reported pervasive execmod denials for the entire system, as in the bugzilla report, that I don't understand yet, as these should not involve text relocations at all. Russell wasn't able to easily reproduce on his machine. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
