On Tue, Jul 12, 2016 at 11:47:56AM +0200, Lennart Poettering wrote:
> On Sat, 09.07.16 21:18, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
>
> > On Sat, Jul 09, 2016 at 05:52:52PM +0100, Richard W.M. Jones wrote:
> > > On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote:
>
On Sat, 09.07.16 21:18, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> On Sat, Jul 09, 2016 at 05:52:52PM +0100, Richard W.M. Jones wrote:
> > On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote:
> > > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
> > > >On Wed, Jul 06,
On Sat, 09.07.16 17:52, Richard W.M. Jones (rjo...@redhat.com) wrote:
> On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote:
> > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
> > >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek
> > >wrote:
> > >
> > >>That
On Sat, 09.07.16 05:31, Peter Robinson (pbrobin...@gmail.com) wrote:
> >> >>That patch is the answer to the (repeated) bug reports that relabelling
> >> >>fails if enforcing=1 and the labels are sufficiently messed up.
> >> >>Doing the relabel in permissive mode, without ever going to enforcing
>
On Sat, Jul 09, 2016 at 05:52:52PM +0100, Richard W.M. Jones wrote:
> On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote:
> > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
> > >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek
> > >wrote:
> > >
> > >>That pat
On Sat, Jul 09, 2016 at 05:31:02AM +0100, Peter Robinson wrote:
> >> >>That patch is the answer to the (repeated) bug reports that relabelling
> >> >>fails if enforcing=1 and the labels are sufficiently messed up.
> >> >>Doing the relabel in permissive mode, without ever going to enforcing
> >> >>m
On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote:
> On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
> >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote:
> >
> >>That patch is the answer to the (repeated) bug reports that relabelling
> >>fails if enforci
>> >>That patch is the answer to the (repeated) bug reports that relabelling
>> >>fails if enforcing=1 and the labels are sufficiently messed up.
>> >>Doing the relabel in permissive mode, without ever going to enforcing
>> >>mode, seems like the most reliable way out in this case. Starting in
>> >
On Fri, 08.07.16 11:50, Przemek Klosowski (przemek.klosow...@nist.gov) wrote:
> On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
> >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote:
> >
> >>That patch is the answer to the (repeated) bug reports that relabelling
> >>fail
On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote:
That patch is the answer to the (repeated) bug reports that relabelling
fails if enforcing=1 and the labels are sufficiently messed up.
Doing the relabel in permissive
On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote:
> On Wed, Jul 06, 2016 at 02:11:31PM +0200, Petr Lautrbach wrote:
> > On 07/04/2016 05:34 PM, Richard W.M. Jones wrote:
> > > I don't exactly know where to post this, but I guess I have everyone's
> > > attention on this t
On Wed, Jul 06, 2016 at 02:11:31PM +0200, Petr Lautrbach wrote:
> On 07/04/2016 05:34 PM, Richard W.M. Jones wrote:
> > I don't exactly know where to post this, but I guess I have everyone's
> > attention on this thread.
> >
> > Attached are patches which work for me. They could really do with
>
On Sun, 03.07.16 19:19, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote:
> > On Thu, 30.06.16 22:27, Petr Lautrbach (plaut...@redhat.com) wrote:
> >
> > > > SELinux is in Permissive mode during this time.
> > >
> > > SEL
On Mon, 2016-07-04 at 22:52 -0500, Bruno Wolff III wrote:
> On Mon, Jul 04, 2016 at 10:25:36 -0700,
> Adam Williamson wrote:
> >
> > Do we actually *need* the second patch if we have the first? I mean, my
> > suggestion was just to do the first patch; if we do that, do we
> > actually need to w
On Mon, Jul 04, 2016 at 10:25:36 -0700,
Adam Williamson wrote:
Do we actually *need* the second patch if we have the first? I mean, my
suggestion was just to do the first patch; if we do that, do we
actually need to worry about making the relabel happen any earlier than
it currently does?
Ca
On Mon, Jul 04, 2016 at 04:34:22PM +0100, Richard W.M. Jones wrote:
> I don't exactly know where to post this, but I guess I have everyone's
> attention on this thread.
>
> Attached are patches which work for me. They could really do with
> review from someone who knows what they're doing. They
On Mon, Jul 04, 2016 at 10:25:36AM -0700, Adam Williamson wrote:
> On Mon, 2016-07-04 at 16:34 +0100, Richard W.M. Jones wrote:
> > I don't exactly know where to post this, but I guess I have everyone's
> > attention on this thread.
> >
> > Attached are patches which work for me. They could reall
On Mon, 2016-07-04 at 16:34 +0100, Richard W.M. Jones wrote:
> I don't exactly know where to post this, but I guess I have everyone's
> attention on this thread.
>
> Attached are patches which work for me. They could really do with
> review from someone who knows what they're doing. They also ne
I don't exactly know where to post this, but I guess I have everyone's
attention on this thread.
Attached are patches which work for me. They could really do with
review from someone who knows what they're doing. They also need much
more testing than I've done, but I'll be doing that myself late
On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote:
> On Thu, 30.06.16 22:27, Petr Lautrbach (plaut...@redhat.com) wrote:
>
> > > SELinux is in Permissive mode during this time.
> >
> > SELinux policy is loaded in systemd on very beginning so unless it's set
> > to be permissive i
> "PL" == Petr Lautrbach writes:
PL> (2) when a generator file was mislabeled it could not be run by
PL> systemd as systemd can't read fedora-relabel unit file now
Isn't it possible to detect that situation and simply force the relabel?
- J<
--
devel mailing list
devel@lists.fedoraproject.
On Thu, 30.06.16 22:27, Petr Lautrbach (plaut...@redhat.com) wrote:
> > SELinux is in Permissive mode during this time.
>
> SELinux policy is loaded in systemd on very beginning so unless it's set
> to be permissive in the config file or on the kernel command line, a
> system is in enforcing mode
On Thu, 30.06.16 21:23, Petr Lautrbach (plaut...@redhat.com) wrote:
> I like the idea that the relabeling will be isolated in a special
> target. And we've recently moved fedora-selinux.service to
> policycoreutils so it could live there.
>
> However, it won't probably fix the following problems:
On 06/30/2016 09:52 PM, Richard W.M. Jones wrote:
> On Thu, Jun 30, 2016 at 09:23:45PM +0200, Petr Lautrbach wrote:
>> On 06/30/2016 06:13 PM, Lennart Poettering wrote:
>>> On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote:
>>>
>> Insert your idea here …
>
> Do it the same way
On Thu, Jun 30, 2016 at 09:23:45PM +0200, Petr Lautrbach wrote:
> On 06/30/2016 06:13 PM, Lennart Poettering wrote:
> > On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote:
> >
> Insert your idea here …
> >>>
> >>> Do it the same way `dnf system-upgrade` works. The requirements (having
On 06/30/2016 06:13 PM, Lennart Poettering wrote:
> On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote:
>
Insert your idea here …
>>>
>>> Do it the same way `dnf system-upgrade` works. The requirements (having
>>> local filesystem read- and writable) are quite similar. Or the way
>>
On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote:
> > > Insert your idea here …
> >
> > Do it the same way `dnf system-upgrade` works. The requirements (having
> > local filesystem read- and writable) are quite similar. Or the way
> > PackageKit's system upgrade works…
> > probably th
On Thu, 2016-06-30 at 07:34 +, Christian Stadelmann wrote:
> > It should be possible to touch /.autorelabel and have the SELinux
> > labels on the filesystem fixed at next boot.
>
> […]
>
> > (a) Configure /etc/selinux/config to set SELinux permissive, and
> > modify the fedora-autorelabel.se
On 06/30/2016 09:34 AM, Christian Stadelmann wrote:
Setting SELinux to permissive (even for a very short time) seems risky to me.
I'd rather not do that.
Is it really substantially more risky than blindly relabeling the file
system?
Florian
--
devel mailing list
devel@lists.fedoraproject.or
> It should be possible to touch /.autorelabel and have the SELinux
> labels on the filesystem fixed at next boot.
[…]
> (a) Configure /etc/selinux/config to set SELinux permissive, and
> modify the fedora-autorelabel.service so it edits /etc/selinux/config
> to re-enable SELinux next time. This
On Wed, 2016-06-29 at 22:15 +0100, Richard W.M. Jones wrote:
> It should be possible to touch /.autorelabel and have the SELinux
> labels on the filesystem fixed at next boot.
>
> Fedora 24 shipped with a couple of nasty bugs in /.autorelabel
> functionality:
>
> https://bugzilla.redhat.com/sho
It should be possible to touch /.autorelabel and have the SELinux
labels on the filesystem fixed at next boot.
Fedora 24 shipped with a couple of nasty bugs in /.autorelabel
functionality:
https://bugzilla.redhat.com/show_bug.cgi?id=1351352
https://bugzilla.redhat.com/show_bug.cgi?id=1349586
32 matches
Mail list logo
