On Thu, 2010-07-15 at 09:52 +0100, Richard W.M. Jones wrote:
> On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
> > There are sometimes such obvious errors and missing labels that I
> > cannot imagine not catching an audit message when program fails to
> > even start!
>
> A lot of my
On Thu, Jul 15, 2010 at 09:52:39AM +0100, Richard W.M. Jones wrote:
> A lot of my Fedora machines are virtualized and I only ever interact
> with them by ssh. While I would see a program if it failed to start,
> I don't generally see any SELinux audit messages ever. (The bloated
This is a proble
On 07/15/2010 06:04 AM, Richard W.M. Jones wrote:
> On Thu, Jul 15, 2010 at 03:29:34PM +0530, Rahul Sundaram wrote:
>> On 07/15/2010 02:22 PM, Richard W.M. Jones wrote:
>>> On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
>>>
There are sometimes such obvious errors and missing
On Thu, Jul 15, 2010 at 03:29:34PM +0530, Rahul Sundaram wrote:
> On 07/15/2010 02:22 PM, Richard W.M. Jones wrote:
> > On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
> >
> >> There are sometimes such obvious errors and missing labels that I
> >> cannot imagine not catching an aud
On 07/15/2010 02:22 PM, Richard W.M. Jones wrote:
> On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
>
>> There are sometimes such obvious errors and missing labels that I
>> cannot imagine not catching an audit message when program fails to
>> even start!
>>
> A lot of my Fedo
On Tue, Jul 13, 2010 at 04:47:40PM +0200, Tomasz Torcz wrote:
> There are sometimes such obvious errors and missing labels that I
> cannot imagine not catching an audit message when program fails to
> even start!
A lot of my Fedora machines are virtualized and I only ever interact
with them by ssh
Adam Williamson wrote:
>On Tue, 2010-07-13 at 16:33 +0100, Pádraig Brady wrote:
>> On 13/07/10 15:47, Tomasz Torcz wrote:
>> > On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
>> >>>
>> >>> As long as you give us a heads up we can prevent these types of blowups.
>> >>> Since t
On Wed, 2010-07-14 at 02:53 +0530, Rahul Sundaram wrote:
> On 07/14/2010 02:46 AM, Adam Williamson wrote:
> >
> > The test case for validating this criterion is:
> >
> > https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks
> >
> > note that it doesn't test non-default package sets, and d
On Tue, 2010-07-13 at 16:33 +0100, Pádraig Brady wrote:
> On 13/07/10 15:47, Tomasz Torcz wrote:
> > On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
> >>>
> >>> As long as you give us a heads up we can prevent these types of blowups.
> >>> Since this policy is shared between yum,
Dne 13.7.2010 23:17, Pádraig Brady napsal(a):
> To be clear, the "hundreds" contained many duplicates.
> I'm not complaining since I haven't looked into any
> of these issues, I'm just trying to provide insight
> into why SELinux might not be as tested as one would like.
Just to note, that setroub
On Tue, Jul 13, 2010 at 8:55 AM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of F
On 13/07/10 16:57, Matěj Cepl wrote:
> Dne 13.7.2010 17:33, Pádraig Brady napsal(a):
>> Personally I do momentarily enable to test but always disable
>> because of _hundreds_ of errors in the applet thingy.
>
> Hundreds? I have been running RHEL-6 from mid-Januray (that means
> Rawhide was quite
On 07/14/2010 02:46 AM, Adam Williamson wrote:
>
> The test case for validating this criterion is:
>
> https://fedoraproject.org/wiki/QA:Testcase_desktop_error_checks
>
> note that it doesn't test non-default package sets, and doesn't test
> actively *running* applications, only booting to a defaul
On Tue, 2010-07-13 at 16:45 +0200, Nicolas Mailhot wrote:
> Le 13/07/2010 15:30, Rahul Sundaram a écrit :
> >
> > On 07/13/2010 06:58 PM, Christopher Brown wrote:
> >> No. SELinux is unacceptable when it displays ridiculous warning
> >> messages to users telling them it has detected suspicious act
On 13 July 2010 17:26, drago01 wrote:
> Yeah updating (core!) packages like PackageKit without even testing it
> with the default setup *is* indeed unacceptable.
I did test it with SELinux enabled, but I don't run enforcing as it
gets in my way as a developer. There was no message[1] in the SELin
On Tue, Jul 13, 2010 at 2:55 PM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of F
Once upon a time, Christopher Brown said:
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you need to realise that SELinux as it stands at the
> moment is utterly broken.
It works for a lot of people, so I would hardly call it "utterly
broken".
> I understan
Pádraig Brady wrote:
>Nobody I know enables SELinux.
>smolt says about half leave it enabled:
>http://smolts.org/static/stats/stats.html
>But I'm guessing a lot of experienced users/devs
>disable it given previous experiences...
It's closer to 70% actually, also consider the 18.7% being market a
Dne 13.7.2010 17:33, Pádraig Brady napsal(a):
> Personally I do momentarily enable to test but always disable
> because of _hundreds_ of errors in the applet thingy.
Hundreds? I have been running RHEL-6 from mid-Januray (that means
Rawhide was quite stable comparing to it) with SELinux in the Enf
On 07/13/2010 09:03 PM, Pádraig Brady wrote:
> Nobody I know enables SELinux.
> smolt says about half leave it enabled:
> http://smolts.org/static/stats/stats.html
> But I'm guessing a lot of experienced users/devs
> disable it given previous experiences...
> It's a bit of a catch 22 really.
>
> Personally I do momentarily enable to test but always disable
> because of _hundreds_ of errors in the applet thingy.
You can disable the applet thingy without disabling selinux. I do.
- Mike
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/
On 13/07/10 15:47, Tomasz Torcz wrote:
> On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
>>>
>>> As long as you give us a heads up we can prevent these types of blowups.
>>> Since this policy is shared between yum, packagekit
>>
>> Whilst I appreciate your huge efforts to provide
On 07/13/2010 10:37 AM, Till Maas wrote:
> On Tue, Jul 13, 2010 at 08:55:47AM -0400, Daniel J Walsh wrote:
>> If you are changing the locate of an executable or libraries the
>> executables write to, please make sure SELinux labels are still
>> consistant or contact the selinux developers for help.
On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
> >
> > As long as you give us a heads up we can prevent these types of blowups.
> > Since this policy is shared between yum, packagekit
>
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you ne
On 07/13/2010 08:15 PM, Nicolas Mailhot wrote:
> IIRC pyzor, for example, has never worked on an selinux system, as it
> tries to write stuff in / (and no one has minded for many releases)
>
The release criteria only cares about the default package set and
configuration in my understanding.
Ra
Le 13/07/2010 15:30, Rahul Sundaram a écrit :
>
> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>> No. SELinux is unacceptable when it displays ridiculous warning
>> messages to users telling them it has detected suspicious activity on
>> a system that has ONLY JUST BEEN INSTALLED.
>>
>
> T
On Tue, Jul 13, 2010 at 08:55:47AM -0400, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released vers
On 07/13/2010 10:11 AM, Christopher Brown wrote:
> On 13 July 2010 14:44, Daniel J Walsh wrote:
>> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
No. SELinux is unacceptable when it displays ridiculous warning
messages to users telling
On 07/13/2010 05:11 PM, Christopher Brown wrote:
> [...]
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you need to realise that SELinux as it stands at the
> moment is utterly broken. As you clearly don't think this is the case,
> please spend some time in us
On 13 July 2010 14:44, Daniel J Walsh wrote:
> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>>> No. SELinux is unacceptable when it displays ridiculous warning
>>> messages to users telling them it has detected suspicious activity on
>>> a syste
On 07/13/2010 07:14 PM, Daniel J Walsh wrote:
> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>
>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>>
>>> No. SELinux is unacceptable when it displays ridiculous warning
>>> messages to users telling them it has detected suspicious activity o
On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>> No. SELinux is unacceptable when it displays ridiculous warning
>> messages to users telling them it has detected suspicious activity on
>> a system that has ONLY JUST BEEN INSTALLED.
>>
>
> That
On 07/13/2010 06:58 PM, Christopher Brown wrote:
> No. SELinux is unacceptable when it displays ridiculous warning
> messages to users telling them it has detected suspicious activity on
> a system that has ONLY JUST BEEN INSTALLED.
>
That should have failed the release criteria as it is writte
On 13 July 2010 13:55, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of Fedora and
Daniel J Walsh wrote:
> packagekit got released this to F13 and Rawhide this week and changed
> its location. packagekitd should be labeled rpm_exec_t, Since it moved
> it got the default label and is now running unconfined. This causes
> labels to get screwed up and lots of bugs are being report
On 07/13/2010 06:25 PM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of Fedora and
On 07/13/2010 07:55 AM, Daniel J Walsh wrote:
> If you are changing the locate of an executable or libraries the
> executables write to, please make sure SELinux labels are still
> consistant or contact the selinux developers for help. IF you update a
> package in a released version of Fedora and
37 matches
Mail list logo
