On 09/25/2012 02:10 AM, Daniel J Walsh wrote:
Definitely not. Enforcing mode and Permissive mode are not equivalent. SELinux/Permission Denied can cause things to crash. I have been working since last week on SELinux/Systemd problems that happen in early boot, and would only be seen in enforcing mode. For some reason avc messages were not showup in early boot, so no one would have known about it.
Interesting those errors not even caught by the journal?
Dontaudit rules can cover up messages that cause applications bugs.
I see
We have been working with SELinux in enforcing mode for years now, why change now.
We also have had several release without selinux running so we have two data points to measure with.
The reason why I suggested this is to keep the entry level for reporters as low as possible so running selinux in permissive mode would have yielded the same result, we would have been able to still gather the necessary data without leaving the reporter with potentially unbootable system.
I guess we could just create an wiki page that reporters could use on the side encase they need it.
Ever since the introduction of systemd we have had more *severe* cases of selinux issues in the alpha phaze which seems to be mostly due to the systemd team not given the selinux team an heads up about some of the changes they have made or about to make. ( nothing that could not be solved with all the teams that make up CoreOS ( Kernel,Dracut,Systemd and arguably Selinux ) meeting and discussing what's going to happen next development cycle over a cold beer or good cognac )
Anyway given your input + -1 from drago01 ( whatever his or hers real name is ),Michael and Adams W. I think this proposal has been officially nack-ed ( Unless some others from the QA community have something more valuable to add to the discussion )
JBG -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test