On Thu, 2010-07-15 at 09:52 +0100, Richard W.M. Jones wrote:
> On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
> > There are sometimes such obvious errors and missing labels that I
> > cannot imagine not catching an audit message when program fails to
> > even start!
>
> A lot of my
On Thu, Jul 15, 2010 at 09:52:39AM +0100, Richard W.M. Jones wrote:
> A lot of my Fedora machines are virtualized and I only ever interact
> with them by ssh. While I would see a program if it failed to start,
> I don't generally see any SELinux audit messages ever. (The bloated
This is a proble
On 07/15/2010 06:04 AM, Richard W.M. Jones wrote:
> On Thu, Jul 15, 2010 at 03:29:34PM +0530, Rahul Sundaram wrote:
>> On 07/15/2010 02:22 PM, Richard W.M. Jones wrote:
>>> On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
>>>
There are sometimes such obvious errors and missing
On Thu, Jul 15, 2010 at 03:29:34PM +0530, Rahul Sundaram wrote:
> On 07/15/2010 02:22 PM, Richard W.M. Jones wrote:
> > On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
> >
> >> There are sometimes such obvious errors and missing labels that I
> >> cannot imagine not catching an aud
On 07/15/2010 02:22 PM, Richard W.M. Jones wrote:
> On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
>
>> There are sometimes such obvious errors and missing labels that I
>> cannot imagine not catching an audit message when program fails to
>> even start!
>>
> A lot of my Fedo
On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
> There are sometimes such obvious errors and missing labels that I
> cannot imagine not catching an audit message when program fails to
> even start!
A lot of my Fedora machines are virtualized and I only ever interact
with them by ssh
Adam Williamson wrote:
>On Tue, 2010-07-13 at 16:33 +0100, Pádraig Brady wrote:
>> On 13/07/10 15:47, Tomasz Torcz wrote:
>> > On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
>> >>>
>> >>> As long as you give us a heads up we can prevent these types of blowups.
>> >>> Since t
On Wed, 2010-07-14 at 02:53 +0530, Rahul Sundaram wrote:
> On 07/14/2010 02:46 AM, Adam Williamson wrote:
> >
> > The test case for validating this criterion is:
> >
> > https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks
> >
> > note that it doesn't test non-default package sets, and d
On Tue, 2010-07-13 at 16:33 +0100, Pádraig Brady wrote:
> On 13/07/10 15:47, Tomasz Torcz wrote:
> > On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
> >>>
> >>> As long as you give us a heads up we can prevent these types of blowups.
> >>> Since this policy is shared between yum,
Dne 13.7.2010 23:17, Pádraig Brady napsal(a):
> To be clear, the "hundreds" contained many duplicates.
> I'm not complaining since I haven't looked into any
> of these issues, I'm just trying to provide insight
> into why SELinux might not be as tested as one would like.
Just to note, that setroub
On Tue, Jul 13, 2010 at 8:55 AM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of F
On 13/07/10 16:57, Matěj Cepl wrote:
> Dne 13.7.2010 17:33, Pádraig Brady napsal(a):
>> Personally I do momentarily enable to test but always disable
>> because of _hundreds_ of errors in the applet thingy.
>
> Hundreds? I have been running RHEL-6 from mid-Januray (that means
> Rawhide was quite
On 07/14/2010 02:46 AM, Adam Williamson wrote:
>
> The test case for validating this criterion is:
>
> https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks
>
> note that it doesn't test non-default package sets, and doesn't test
> actively *running* applications, only booting to a defaul
On Tue, 2010-07-13 at 16:45 +0200, Nicolas Mailhot wrote:
> Le 13/07/2010 15:30, Rahul Sundaram a écrit :
> >
> > On 07/13/2010 06:58 PM, Christopher Brown wrote:
> >> No. SELinux is unacceptable when it displays ridiculous warning
> >> messages to users telling them it has detected suspicious act
On 13 July 2010 17:26, drago01 wrote:
> Yeah updating (core!) packages like PackageKit without even testing it
> with the default setup *is* indeed unacceptable.
I did test it with SELinux enabled, but I don't run enforcing as it
gets in my way as a developer. There was no message[1] in the SELin
On Tue, Jul 13, 2010 at 2:55 PM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of F
Once upon a time, Christopher Brown said:
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you need to realise that SELinux as it stands at the
> moment is utterly broken.
It works for a lot of people, so I would hardly call it "utterly
broken".
> I understan
Pádraig Brady wrote:
>Nobody I know enables SELinux.
>smolt says about half leave it enabled:
>http://smolts.org/static/stats/stats.html
>But I'm guessing a lot of experienced users/devs
>disable it given previous experiences...
It's closer to 70% actually, also consider the 18.7% being market a
Dne 13.7.2010 17:33, Pádraig Brady napsal(a):
> Personally I do momentarily enable to test but always disable
> because of _hundreds_ of errors in the applet thingy.
Hundreds? I have been running RHEL-6 from mid-Januray (that means
Rawhide was quite stable comparing to it) with SELinux in the Enf
On 07/13/2010 09:03 PM, Pádraig Brady wrote:
> Nobody I know enables SELinux.
> smolt says about half leave it enabled:
> http://smolts.org/static/stats/stats.html
> But I'm guessing a lot of experienced users/devs
> disable it given previous experiences...
> It's a bit of a catch 22 really.
>
> Personally I do momentarily enable to test but always disable
> because of _hundreds_ of errors in the applet thingy.
You can disable the applet thingy without disabling selinux. I do.
- Mike
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/
On 13/07/10 15:47, Tomasz Torcz wrote:
> On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
>>>
>>> As long as you give us a heads up we can prevent these types of blowups.
>>> Since this policy is shared between yum, packagekit
>>
>> Whilst I appreciate your huge efforts to provide
On 07/13/2010 10:37 AM, Till Maas wrote:
> On Tue, Jul 13, 2010 at 08:55:47AM -0400, Daniel J Walsh wrote:
>> If you are changing the locate of an executable or libraries the
>> executables write to, please make sure SELinux labels are still
>> consistant or contact the selinux developers for help.
On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
> >
> > As long as you give us a heads up we can prevent these types of blowups.
> > Since this policy is shared between yum, packagekit
>
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you ne
On 07/13/2010 08:15 PM, Nicolas Mailhot wrote:
> IIRC pyzor, for example, has never worked on an selinux system, as it
> tries to write stuff in / (and no one has minded for many releases)
>
The release criteria only cares about the default package set and
configuration in my understanding.
Ra
Le 13/07/2010 15:30, Rahul Sundaram a écrit :
>
> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>> No. SELinux is unacceptable when it displays ridiculous warning
>> messages to users telling them it has detected suspicious activity on
>> a system that has ONLY JUST BEEN INSTALLED.
>>
>
> T
On Tue, Jul 13, 2010 at 08:55:47AM -0400, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released vers
On 07/13/2010 10:11 AM, Christopher Brown wrote:
> On 13 July 2010 14:44, Daniel J Walsh wrote:
>> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
No. SELinux is unacceptable when it displays ridiculous warning
messages to users telling
On 07/13/2010 05:11 PM, Christopher Brown wrote:
> [...]
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you need to realise that SELinux as it stands at the
> moment is utterly broken. As you clearly don't think this is the case,
> please spend some time in us
On 13 July 2010 14:44, Daniel J Walsh wrote:
> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>>> No. SELinux is unacceptable when it displays ridiculous warning
>>> messages to users telling them it has detected suspicious activity on
>>> a syste
On 07/13/2010 07:14 PM, Daniel J Walsh wrote:
> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>
>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>>
>>> No. SELinux is unacceptable when it displays ridiculous warning
>>> messages to users telling them it has detected suspicious activity o
On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>> No. SELinux is unacceptable when it displays ridiculous warning
>> messages to users telling them it has detected suspicious activity on
>> a system that has ONLY JUST BEEN INSTALLED.
>>
>
> That
On 07/13/2010 06:58 PM, Christopher Brown wrote:
> No. SELinux is unacceptable when it displays ridiculous warning
> messages to users telling them it has detected suspicious activity on
> a system that has ONLY JUST BEEN INSTALLED.
>
That should have failed the release criteria as it is writte
On 13 July 2010 13:55, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of Fedora and
Daniel J Walsh wrote:
> packagekit got released this to F13 and Rawhide this week and changed
> its location. packagekitd should be labeled rpm_exec_t, Since it moved
> it got the default label and is now running unconfined. This causes
> labels to get screwed up and lots of bugs are being report
On 07/13/2010 06:25 PM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of Fedora and
On 07/13/2010 07:55 AM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of Fedora and
If you are changing the locate of an executable or libraries the
executables write to, please make sure SELinux labels are still
consistant or contact the selinux developers for help. IF you update a
package in a released version of Fedora and change the locations you
MUST make sure it still works
38 matches
Mail list logo
