On Fri, Dec 12, 2008 at 2:49 PM, Anton Arapov <[email protected]> wrote: > On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote: >> On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote: >> > Anton Arapov wrote: >> > > On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote: >> > > >> > >> Anton Arapov wrote: >> > >> >> > >> >> > >> > Anton, >> > >> > I'm pretty sure it's fine for applications to be ensuring that contexts >> > are set right, so the earlier things seem fine to me, though it also >> > seems that we would be better served having a SELinux policy written for >> > koan, and having that shipped with koan (and possibly installed by the >> > RPM -- or providing instructions for it do so). Perhaps we can follow >> > that tactic instead? >> > >> > This would have the benefit of also being able to move koan out of being >> > unconfined, which may actually /improve/ security in a few regards >> > (except of course koan's there to reinstall your system if you use >> > --replace-self so it's a bit illusory to assume that's why we're doing >> > it). The policy would need to be very open ended because koan can >> > install files with it's --update-files feature and also manipulate grub? >> > >> > Does that make sense? >> >> Michael, >> >> I did some investigations today, and have had a chance to speak >> to Dan Walsh, our selinux guru. And the concern is that we have >> mentioned by me selinux restrictions with semanage just because of >> tricky implementation of the logging(how we log things to >> ~/.koan/koan.log) and another one, seems we have problem in >> sub_process, it leaves filedescriptor open.... >> >> I will dive into it this weeked and will come up with solution. >> If there will be the neeed of setting some context to the koan script, >> probably..... but I do not think so. :) >> >> -- Anton >> > > I'm afraid, I will not have a time to work futher on this next week, > so sharing what I have: > > In order to eliminate the problem with logging, we need to set > appropriate context to ~/.koan/koan.log or log everything to /var/log > for example, var_log_t: > # chcon -v -t var_log_t /root/.koan/koan.log > > And if we really care about it, it will be better to create some > koan's context, may be koan_log_t, and use it. Do we need this? > Might be we will use /var/log/* in the future?
Ideally, cobbler would do: import syslog syslog(... and then cobbler logs would use existing syslog infrastructures. It is annoying that it doesn't currently for those of us who have big syslog environments. -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
