Re: Developers of packages please pay attention to selinux labeling.
On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote: There are sometimes such obvious errors and missing labels that I cannot imagine not catching an audit message when program fails to even start! A lot of my Fedora machines are virtualized and I only ever interact with them by ssh. While I would see a program if it failed to start, I don't generally see any SELinux audit messages ever. (The bloated python SELinux audit daemon whatever it's called is usually the first thing I kill when I install Fedora on my desktop too ...) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Thu, Jul 15, 2010 at 03:29:34PM +0530, Rahul Sundaram wrote: On 07/15/2010 02:22 PM, Richard W.M. Jones wrote: On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote: There are sometimes such obvious errors and missing labels that I cannot imagine not catching an audit message when program fails to even start! A lot of my Fedora machines are virtualized and I only ever interact with them by ssh. While I would see a program if it failed to start, I don't generally see any SELinux audit messages ever. (The bloated python SELinux audit daemon whatever it's called is usually the first thing I kill when I install Fedora on my desktop too ...) Wasn't it rewritten in C recently? I didn't know that. I'll try the new version when I next do my annual desktop upgrade. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/15/2010 06:04 AM, Richard W.M. Jones wrote: On Thu, Jul 15, 2010 at 03:29:34PM +0530, Rahul Sundaram wrote: On 07/15/2010 02:22 PM, Richard W.M. Jones wrote: On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote: There are sometimes such obvious errors and missing labels that I cannot imagine not catching an audit message when program fails to even start! A lot of my Fedora machines are virtualized and I only ever interact with them by ssh. While I would see a program if it failed to start, I don't generally see any SELinux audit messages ever. (The bloated python SELinux audit daemon whatever it's called is usually the first thing I kill when I install Fedora on my desktop too ...) Wasn't it rewritten in C recently? I didn't know that. I'll try the new version when I next do my annual desktop upgrade. Rich. setroubleshoot has been modified to only start on dbus activation, arrival of an AVC message or client app starting up, service exits 10 seconds after last AVC arrival. Applet that shows the star (Check engine light) is now C code. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Thu, Jul 15, 2010 at 09:52:39AM +0100, Richard W.M. Jones wrote: A lot of my Fedora machines are virtualized and I only ever interact with them by ssh. While I would see a program if it failed to start, I don't generally see any SELinux audit messages ever. (The bloated This is a problem. It's security through cross your fingers and hope it worked. :/ -- Matthew Miller mat...@mattdm.org Senior Systems Architect -- Instructional Research Computing Services Harvard School of Engineering Applied Sciences -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Thu, 2010-07-15 at 09:52 +0100, Richard W.M. Jones wrote: On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote: There are sometimes such obvious errors and missing labels that I cannot imagine not catching an audit message when program fails to even start! A lot of my Fedora machines are virtualized and I only ever interact with them by ssh. While I would see a program if it failed to start, I don't generally see any SELinux audit messages ever. (The bloated python SELinux audit daemon whatever it's called is usually the first thing I kill when I install Fedora on my desktop too ...) You don't need setroubleshoot to see SELinux denials. /sbin/ausearch -m AVC -ts today -i (if running auditd) or grep avc /var/log/messages (if not). -- Stephen Smalley National Security Agency -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 07:55 AM, Daniel J Walsh wrote: If you are changing the locate of an executable or libraries the executables write to, please make sure SELinux labels are still consistant or contact the selinux developers for help. IF you update a package in a released version of Fedora and change the locations you MUST make sure it still works with selinux in enforcing mode. packagekit got released this to F13 and Rawhide this week and changed its location. packagekitd should be labeled rpm_exec_t, Since it moved it got the default label and is now running unconfined. This causes labels to get screwed up and lots of bugs are being reported on it. It gives SELinux a bad name. And it makes our user community mad. SELinux has been around a long time. Packages should be using it at least in testing. This is unacceptable. Should we set the context manually, or will a restorecon in %post be sufficient? -J -- - in your fear, speak only peace in your fear, seek only love -d. bowie -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 06:25 PM, Daniel J Walsh wrote: If you are changing the locate of an executable or libraries the executables write to, please make sure SELinux labels are still consistant or contact the selinux developers for help. IF you update a package in a released version of Fedora and change the locations you MUST make sure it still works with selinux in enforcing mode. packagekit got released this to F13 and Rawhide this week and changed its location. packagekitd should be labeled rpm_exec_t, Since it moved it got the default label and is now running unconfined. This causes labels to get screwed up and lots of bugs are being reported on it. It gives SELinux a bad name. And it makes our user community mad. SELinux has been around a long time. Packages should be using it at least in testing. This is unacceptable. Wasn't there a move earlier to move policies to the packages instead of maintaining everything centrally? As long as it abstracted away from me, I don't really pay much attention to it. If it was part of my package, I probably can keep it updated better. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Daniel J Walsh wrote: packagekit got released this to F13 and Rawhide this week and changed its location. packagekitd should be labeled rpm_exec_t, Since it moved it got the default label and is now running unconfined. This causes labels to get screwed up and lots of bugs are being reported on it. It gives SELinux a bad name. And it makes our user community mad. SELinux has been around a long time. Packages should be using it at least in testing. This is unacceptable. I QA'd this package as working under SELinux enforcing machines and did not encounter any issues. Could you point to the bugs in question so I can study what I missed? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 13 July 2010 13:55, Daniel J Walsh dwa...@redhat.com wrote: If you are changing the locate of an executable or libraries the executables write to, please make sure SELinux labels are still consistant or contact the selinux developers for help. IF you update a package in a released version of Fedora and change the locations you MUST make sure it still works with selinux in enforcing mode. packagekit got released this to F13 and Rawhide this week and changed its location. packagekitd should be labeled rpm_exec_t, Since it moved it got the default label and is now running unconfined. This causes labels to get screwed up and lots of bugs are being reported on it. It gives SELinux a bad name. And it makes our user community mad. SELinux has been around a long time. Packages should be using it at least in testing. This is unacceptable. No. SELinux is unacceptable when it displays ridiculous warning messages to users telling them it has detected suspicious activity on a system that has ONLY JUST BEEN INSTALLED. Please, for the love of everything, stop it. /wasted breath (my assumption here - this nonsense has been going on for so many releases I've lost count). -- Christopher Brown -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 06:58 PM, Christopher Brown wrote: No. SELinux is unacceptable when it displays ridiculous warning messages to users telling them it has detected suspicious activity on a system that has ONLY JUST BEEN INSTALLED. That should have failed the release criteria as it is written currently. Let the QA team know by citing bug numbers. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
On 07/13/2010 06:58 PM, Christopher Brown wrote:
No. SELinux is unacceptable when it displays ridiculous warning
messages to users telling them it has detected suspicious activity on
a system that has ONLY JUST BEEN INSTALLED.
That should have failed the release criteria as it is written
currently. Let the QA team know by citing bug numbers.
Rahul
All of the bugs like this
https://bugzilla.redhat.com/show_bug.cgi?id=567454
The problem is without the rpm_exec_t label it runs as initrc_t which is
an unconfiend domain. It creates /tmp output files and redirects the
stdout of all packages being updated. If any confined app transitions
it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.
This caused all confined applications to generate an AVC like
node=(removed) type=AVC msg=audit(1266885495.204:24851): avc: denied {
read append } for pid=6724 comm=tzdata-update path=/tmp/tmpNJCaKB
dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
It is obviously difficult to trace this type of error back to packagekit.
It just takes a few seconds to send us a heads up and we can fix the
next selinux policy package.
These are the things labeled rpm_exec_t on a Fedora machine
/usr/libexec/yumDBUSBackend.py
/bin/rpm
/usr/bin/rpm
/usr/bin/yum
/usr/sbin/pup
/usr/bin/smart
/usr/sbin/pirut
/usr/bin/apt-get
/usr/sbin/up2date
/usr/sbin/synaptic
/usr/bin/apt-shell
/usr/sbin/rhn_check
/usr/sbin/yum-updatesd
/usr/libexec/packagekitd
/usr/libexec/ricci-modrpm
/usr/bin/fedora-rmdevelrpms
/usr/bin/rpmdev-rmdevelrpms
/usr/sbin/system-install-packages
/usr/share/yumex/yum_childtask\.py
/usr/sbin/yum-complete-transaction
/usr/share/yumex/yumex-yum-backend
So putting this into the packagekitd package does not make sense.
As long as you give us a heads up we can prevent these types of blowups.
Since this policy is shared between yum, packagekit
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 07:14 PM, Daniel J Walsh wrote: On 07/13/2010 09:30 AM, Rahul Sundaram wrote: On 07/13/2010 06:58 PM, Christopher Brown wrote: No. SELinux is unacceptable when it displays ridiculous warning messages to users telling them it has detected suspicious activity on a system that has ONLY JUST BEEN INSTALLED. That should have failed the release criteria as it is written currently. Let the QA team know by citing bug numbers. Rahul All of the bugs like this https://bugzilla.redhat.com/show_bug.cgi?id=567454 That's a post release regression. I was pointing out that SELinux denials right after installation of a new release (without any updates) fails the release criteria. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 13 July 2010 14:44, Daniel J Walsh dwa...@redhat.com wrote:
On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
On 07/13/2010 06:58 PM, Christopher Brown wrote:
No. SELinux is unacceptable when it displays ridiculous warning
messages to users telling them it has detected suspicious activity on
a system that has ONLY JUST BEEN INSTALLED.
That should have failed the release criteria as it is written
currently. Let the QA team know by citing bug numbers.
Rahul
All of the bugs like this
https://bugzilla.redhat.com/show_bug.cgi?id=567454
The problem is without the rpm_exec_t label it runs as initrc_t which is
an unconfiend domain. It creates /tmp output files and redirects the
stdout of all packages being updated. If any confined app transitions
it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.
This caused all confined applications to generate an AVC like
node=(removed) type=AVC msg=audit(1266885495.204:24851): avc: denied {
read append } for pid=6724 comm=tzdata-update path=/tmp/tmpNJCaKB
dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
It is obviously difficult to trace this type of error back to packagekit.
It just takes a few seconds to send us a heads up and we can fix the
next selinux policy package.
These are the things labeled rpm_exec_t on a Fedora machine
/usr/libexec/yumDBUSBackend.py
/bin/rpm
/usr/bin/rpm
/usr/bin/yum
/usr/sbin/pup
/usr/bin/smart
/usr/sbin/pirut
/usr/bin/apt-get
/usr/sbin/up2date
/usr/sbin/synaptic
/usr/bin/apt-shell
/usr/sbin/rhn_check
/usr/sbin/yum-updatesd
/usr/libexec/packagekitd
/usr/libexec/ricci-modrpm
/usr/bin/fedora-rmdevelrpms
/usr/bin/rpmdev-rmdevelrpms
/usr/sbin/system-install-packages
/usr/share/yumex/yum_childtask\.py
/usr/sbin/yum-complete-transaction
/usr/share/yumex/yumex-yum-backend
So putting this into the packagekitd package does not make sense.
As long as you give us a heads up we can prevent these types of blowups.
Since this policy is shared between yum, packagekit
Whilst I appreciate your huge efforts to provide users with a more
secure system, you need to realise that SELinux as it stands at the
moment is utterly broken. As you clearly don't think this is the case,
please spend some time in userland before beating on developers for
not caring about this.
If we can't even build (and QA!) a system that ships without SELinux
warnings, there is clearly a problem. Adding SELinux checks to Fedora
development slows things down even further. You really need to work
with the AutoQA people to get this automated. Developers simply
shouldn't have to worry about this.
I understand wanting SELinux checks for *EL but for Fedora? Seriously?
Wow, just wow.
--
Christopher Brown
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 05:11 PM, Christopher Brown wrote: [...] Whilst I appreciate your huge efforts to provide users with a more secure system, you need to realise that SELinux as it stands at the moment is utterly broken. As you clearly don't think this is the case, please spend some time in userland before beating on developers for not caring about this. If we can't even build (and QA!) a system that ships without SELinux warnings, there is clearly a problem. Adding SELinux checks to Fedora development slows things down even further. You really need to work with the AutoQA people to get this automated. Developers simply shouldn't have to worry about this. I understand wanting SELinux checks for *EL but for Fedora? Seriously? Wow, just wow. I am sorry, Christopher but I have to partially disagree with you. There is absolutely no reason to make Fedora any less secure than *EL. Or any less secure that it can be. Yes, selinux can be cumbersome at times. Yes, it can be improved. But that cannot be done without proper feedback. And yes, AutoQA doing selinux checks is a good idea. Manuel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 10:11 AM, Christopher Brown wrote:
On 13 July 2010 14:44, Daniel J Walsh dwa...@redhat.com wrote:
On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
On 07/13/2010 06:58 PM, Christopher Brown wrote:
No. SELinux is unacceptable when it displays ridiculous warning
messages to users telling them it has detected suspicious activity on
a system that has ONLY JUST BEEN INSTALLED.
That should have failed the release criteria as it is written
currently. Let the QA team know by citing bug numbers.
Rahul
All of the bugs like this
https://bugzilla.redhat.com/show_bug.cgi?id=567454
The problem is without the rpm_exec_t label it runs as initrc_t which is
an unconfiend domain. It creates /tmp output files and redirects the
stdout of all packages being updated. If any confined app transitions
it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.
This caused all confined applications to generate an AVC like
node=(removed) type=AVC msg=audit(1266885495.204:24851): avc: denied {
read append } for pid=6724 comm=tzdata-update path=/tmp/tmpNJCaKB
dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
It is obviously difficult to trace this type of error back to packagekit.
It just takes a few seconds to send us a heads up and we can fix the
next selinux policy package.
These are the things labeled rpm_exec_t on a Fedora machine
/usr/libexec/yumDBUSBackend.py
/bin/rpm
/usr/bin/rpm
/usr/bin/yum
/usr/sbin/pup
/usr/bin/smart
/usr/sbin/pirut
/usr/bin/apt-get
/usr/sbin/up2date
/usr/sbin/synaptic
/usr/bin/apt-shell
/usr/sbin/rhn_check
/usr/sbin/yum-updatesd
/usr/libexec/packagekitd
/usr/libexec/ricci-modrpm
/usr/bin/fedora-rmdevelrpms
/usr/bin/rpmdev-rmdevelrpms
/usr/sbin/system-install-packages
/usr/share/yumex/yum_childtask\.py
/usr/sbin/yum-complete-transaction
/usr/share/yumex/yumex-yum-backend
So putting this into the packagekitd package does not make sense.
As long as you give us a heads up we can prevent these types of blowups.
Since this policy is shared between yum, packagekit
Whilst I appreciate your huge efforts to provide users with a more
secure system, you need to realise that SELinux as it stands at the
moment is utterly broken. As you clearly don't think this is the case,
please spend some time in userland before beating on developers for
not caring about this.
If we can't even build (and QA!) a system that ships without SELinux
warnings, there is clearly a problem. Adding SELinux checks to Fedora
development slows things down even further. You really need to work
with the AutoQA people to get this automated. Developers simply
shouldn't have to worry about this.
I understand wanting SELinux checks for *EL but for Fedora? Seriously?
Wow, just wow.
We get the point you do not like SELinux. Fine.
I don't want to get into a discussion of SELinux value here. The goal
is just to get developers to think about the SELinux of changing the
location of paths in their spec file after release, just like they would
think of the Ownership/Permission changes in the spec file. We usually
catch these things in Rawhide quickly but if it happens in a released
package, it can lead more people to think SELinux is just broken.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Tue, Jul 13, 2010 at 08:55:47AM -0400, Daniel J Walsh wrote: If you are changing the locate of an executable or libraries the executables write to, please make sure SELinux labels are still consistant or contact the selinux developers for help. IF you update a package in a released version of Fedora and change the locations you MUST make sure it still works with selinux in enforcing mode. I do not understand the the executables write to part of the condition of what is bad and therefore not at all what needs to be avoided. Is it possible to move a library from /usr/lib to /lib without breaking selinux? Regards Till pgplwbFTm6U4g.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Le 13/07/2010 15:30, Rahul Sundaram a écrit : On 07/13/2010 06:58 PM, Christopher Brown wrote: No. SELinux is unacceptable when it displays ridiculous warning messages to users telling them it has detected suspicious activity on a system that has ONLY JUST BEEN INSTALLED. That should have failed the release criteria as it is written currently. IIRC pyzor, for example, has never worked on an selinux system, as it tries to write stuff in / (and no one has minded for many releases) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 08:15 PM, Nicolas Mailhot wrote: IIRC pyzor, for example, has never worked on an selinux system, as it tries to write stuff in / (and no one has minded for many releases) The release criteria only cares about the default package set and configuration in my understanding. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Personally I do momentarily enable to test but always disable because of _hundreds_ of errors in the applet thingy. You can disable the applet thingy without disabling selinux. I do. - Mike -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/13/2010 09:03 PM, Pádraig Brady wrote: Nobody I know enables SELinux. smolt says about half leave it enabled: http://smolts.org/static/stats/stats.html But I'm guessing a lot of experienced users/devs disable it given previous experiences... It's a bit of a catch 22 really. The smolt stats has some gaps but setting aside that. 68.9% has SELinux enabled according to it. Besides if you are a Fedora package maintainer and do not test your package with SELinux in enforcing mode, you aren't doing a good job. Regardless of whether you have it enabled on your system, you know that a large numbers of users would since it is the default configuration resulting in a broken user experience. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Dne 13.7.2010 17:33, Pádraig Brady napsal(a): Personally I do momentarily enable to test but always disable because of _hundreds_ of errors in the applet thingy. Hundreds? I have been running RHEL-6 from mid-Januray (that means Rawhide was quite stable comparing to it) with SELinux in the Enforcing mode with even special SELinux user staff_u and I just don't see *hundreds* bugs on day-to-day basis. I was very faithful in filing ALL SELinux issues to bugzilla and I am quite sure it wasn't hundred so far. Matěj -- In those days spirits were brave, the stakes were high, men were real men, women were real women and small furry creatures from Alpha Centauri were real small furry creatures from Alpha Centauri. -- Douglas Adams -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Pádraig Brady wrote: Nobody I know enables SELinux. smolt says about half leave it enabled: http://smolts.org/static/stats/stats.html But I'm guessing a lot of experienced users/devs disable it given previous experiences... It's closer to 70% actually, also consider the 18.7% being market as Unknown. Personally I do momentarily enable to test but always disable because of hundreds of errors in the applet thingy. If you have _hundreds_ of errors with SELinux, i'm afraid you are exaggerating, using a custom policy or you might have a serious labeling issue : touch /.autorelabel reboot My system is running as staff_u, and i don't remember reporting more than 20-30 AVCs over now almost a year. If you think it might be an issue with the policy, you should report those bugs into RHBZ. Enabling in non enforcing mode causes a huge performance hit, causing for example the do you want to kill dialog to pop up when I try to quit firefox. Can you measure the *huge* performance hit, i would be interested to see your numbers. As far as i'm aware, the performance hit of SELinux is around 5-7%. But I'm guessing a lot of experienced users/devs disable it given previous experiences... Well, they should reconsider their decision and just take a look at how many user space tools are available to make their life easier. The FUD about SELinux need to stop. signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Once upon a time, Christopher Brown snecklif...@gmail.com said: Whilst I appreciate your huge efforts to provide users with a more secure system, you need to realise that SELinux as it stands at the moment is utterly broken. It works for a lot of people, so I would hardly call it utterly broken. I understand wanting SELinux checks for *EL but for Fedora? Seriously? Since the major security risk is at the desktop, and Fedora is more targeted at the desktop than RHEL, SELinux is IMHO more important in Fedora than RHEL. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Tue, Jul 13, 2010 at 2:55 PM, Daniel J Walsh dwa...@redhat.com wrote: If you are changing the locate of an executable or libraries the executables write to, please make sure SELinux labels are still consistant or contact the selinux developers for help. IF you update a package in a released version of Fedora and change the locations you MUST make sure it still works with selinux in enforcing mode. packagekit got released this to F13 and Rawhide this week and changed its location. packagekitd should be labeled rpm_exec_t, Since it moved it got the default label and is now running unconfined. This causes labels to get screwed up and lots of bugs are being reported on it. It gives SELinux a bad name. And it makes our user community mad. SELinux has been around a long time. Packages should be using it at least in testing. This is unacceptable. Yeah updating (core!) packages like PackageKit without even testing it with the default setup *is* indeed unacceptable. Image a kernel update that eats your data on ext4 but has not been tested on it because the maintainer happens to run $othernondefaultfs (yes not really the same scale; but it shows how wrong this behavior is). -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 13 July 2010 17:26, drago01 drag...@gmail.com wrote: Yeah updating (core!) packages like PackageKit without even testing it with the default setup *is* indeed unacceptable. I did test it with SELinux enabled, but I don't run enforcing as it gets in my way as a developer. There was no message[1] in the SELinux Troubleshooter when installing or using the new package for me. Richard. [1] Well, there are 254 other messages about npviewer, wine and vlc, but I digress. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Tue, 2010-07-13 at 16:45 +0200, Nicolas Mailhot wrote: Le 13/07/2010 15:30, Rahul Sundaram a écrit : On 07/13/2010 06:58 PM, Christopher Brown wrote: No. SELinux is unacceptable when it displays ridiculous warning messages to users telling them it has detected suspicious activity on a system that has ONLY JUST BEEN INSTALLED. That should have failed the release criteria as it is written currently. IIRC pyzor, for example, has never worked on an selinux system, as it tries to write stuff in / (and no one has minded for many releases) If it's not installed by default, we don't care (as far as the release criteria go). The criterion Rahul is referencing is: In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ) from the final release criteria - https://fedoraproject.org/wiki/Fedora_14_Final_Release_Criteria . The 'In most cases' is a standard weasel clause we use when we might want to not fix an issue that would technically breach the criteria if it would only show up in really odd circumstances - for instance, if you have to have three rare bits of hardware installed in conjunction before you'd hit the denial, or something like that. The test case for validating this criterion is: https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks note that it doesn't test non-default package sets, and doesn't test actively *running* applications, only booting to a default desktop. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 07/14/2010 02:46 AM, Adam Williamson wrote: The test case for validating this criterion is: https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks note that it doesn't test non-default package sets, and doesn't test actively *running* applications, only booting to a default desktop. I think we need to change that to actively run and test the default applications that are accessible from the menu. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On 13/07/10 16:57, Matěj Cepl wrote: Dne 13.7.2010 17:33, Pádraig Brady napsal(a): Personally I do momentarily enable to test but always disable because of _hundreds_ of errors in the applet thingy. Hundreds? I have been running RHEL-6 from mid-Januray (that means Rawhide was quite stable comparing to it) with SELinux in the Enforcing mode with even special SELinux user staff_u and I just don't see *hundreds* bugs on day-to-day basis. I was very faithful in filing ALL SELinux issues to bugzilla and I am quite sure it wasn't hundred so far. To be clear, the hundreds contained many duplicates. I'm not complaining since I haven't looked into any of these issues, I'm just trying to provide insight into why SELinux might not be as tested as one would like. cheers, Pádraig. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Tue, Jul 13, 2010 at 8:55 AM, Daniel J Walsh wrote: If you are changing the locate of an executable or libraries the executables write to, please make sure SELinux labels are still consistant or contact the selinux developers for help. IF you update a package in a released version of Fedora and change the locations you MUST make sure it still works with selinux in enforcing mode. packagekit got released this to F13 and Rawhide this week and changed its location. packagekitd should be labeled rpm_exec_t, Since it moved it got the default label and is now running unconfined. This causes labels to get screwed up and lots of bugs are being reported on it. It gives SELinux a bad name. And it makes our user community mad. SELinux has been around a long time. Packages should be using it at least in testing. This is unacceptable. Please write up a guideline proposal, stating what needs to be checked on an update by the packager, and submit it to FPC. I am sure that they will consider it, and it will make things clear for packagers. Thanks, Orcan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Dne 13.7.2010 23:17, Pádraig Brady napsal(a): To be clear, the hundreds contained many duplicates. I'm not complaining since I haven't looked into any of these issues, I'm just trying to provide insight into why SELinux might not be as tested as one would like. Just to note, that setroubleshooter thingy is MUCH better in resolving duplicates than abrt ... no surprise, it has much more structured and smaller text to compare. Matěj -- Somewhere at the edge of the Bell curve was the girl for me. -- Based on http://xkcd.com/314/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
On Wed, 2010-07-14 at 02:53 +0530, Rahul Sundaram wrote: On 07/14/2010 02:46 AM, Adam Williamson wrote: The test case for validating this criterion is: https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks note that it doesn't test non-default package sets, and doesn't test actively *running* applications, only booting to a default desktop. I think we need to change that to actively run and test the default applications that are accessible from the menu. That's sort of covered in https://fedoraproject.org/wiki/QA:Testcase_desktop_menus . I didn't explicitly mention the apps should run without AVCs, but I would probably have considered it a blocker bug if I'd actually hit a case where an AVC popped up when doing that test. We could discuss adding it explicitly to that case and the criteria, I guess. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Developers of packages please pay attention to selinux labeling.
Adam Williamson awill...@redhat.com wrote: On Tue, 2010-07-13 at 16:33 +0100, Pádraig Brady wrote: On 13/07/10 15:47, Tomasz Torcz wrote: On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote: As long as you give us a heads up we can prevent these types of blowups. Since this policy is shared between yum, packagekit Whilst I appreciate your huge efforts to provide users with a more secure system, you need to realise that SELinux as it stands at the moment is utterly broken. As you clearly don't think this is the case, please spend some time in userland before beating on developers for not caring about this. On the other hand, I cannot understand why packagers submit packages that have no chance to work in default Fedora settings, with SELinux in Enforcing mode. Nobody I know enables SELinux. smolt says about half leave it enabled: http://smolts.org/static/stats/stats.html But I'm guessing a lot of experienced users/devs disable it given previous experiences... It's a bit of a catch 22 really. Personally I do momentarily enable to test but always disable because of _hundreds_ of errors in the applet thingy. Enabling in non enforcing mode causes a huge performance hit, causing for example the do you want to kill dialog to pop up when I try to quit firefox. I have it enabled all the time on all my machines, and have never seen either problem. I only get a small number of alerts, which I always report to Bugzilla. I find Dan usually fixes them very quickly. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
