On Mon, Oct 7, 2024 at 12:36 PM Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote: > >On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote: > >> Can we move systemd-homed configuration and activation into something > >> that could be explicitly enabled by the administrators? Whether this is > >> done during installation or post, it still would need to be a concious > >> step made by admins. > > > >It can be enabled and disabled. Nevertheless, having it enabled seems > >to e a good default. If there are no homed users defined, it should > >just hang in the background doing nothing. (Though maybe it could exit > >after being started. I'll try to look into this.) > > > >Any SELinux denials will have to be fixed anyway. So this is not an > >argument for disabling it. > > Sure, it does need to be fixed. However, I think it is a signal that > systemd-homed is not really in use across Fedora community. The original > SELinux issue was opened in 2021, against Fedora 35: > https://bugzilla.redhat.com/show_bug.cgi?id=2036108 > > Since that time multiple people tried to get SELinux policy developed > and merged upstream and none happened until we re-raised its importance > from OpenQA failures for FreeIPA. So SELinux policy changes would come > but this is not enough. > > A question was raised in 2023 by mattdm about systemd-homed support of > SELinux on newly created homes as somebody commented that systemd-homed > does not support proper labeling of the homes: > > https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811 > No follow up happened on that, sadly. > > I do not see any work done on that yet. Without having SELinux support > properly integrated, I think enabling systemd-homed by default is > premature. > Actually selinux-policy has support for systemd-homed in F41 and F42 since Sep 24th. > > Could you please make sure this is addressed by systemd-homed through > upstream? > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Zdenek Pytela Security SELinux team
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
