Re: Regarding WMVS packages in FC3 and FC4 from Ville Skyttä on 2005-06-08 (public-qa-dev@w3.org from June 2005)

From: Ville Skyttä <ville.skytta@iki.fi>
Date: Wed, 08 Jun 2005 09:57:48 +0300
To: QA-dev <public-qa-dev@w3.org>
Message-Id: <1118213868.1799.250.camel@bobcat.mine.nu>

On Wed, 2005-06-01 at 12:05 +0900, olivier Thereaux wrote:
> Ville,
> 
> Thanks for investigating this.

NP, actually I have been vaguely aware of the problems (which exist
already in FC3), but haven't got around to doing anything about it.

(And by the way, as always, a list reply is fine, no need for a personal
copy...)

> On May 22, 2005, at 19:57, Ville Skyttä wrote:
> > Stuff that the current FC4 targeted policy disallows for CGI scripts
> > includes for example hostname resolution (/etc/resolv.conf, UDP DNS
> > traffic), fetching the documents to be validated from arbitrary
> > hostnames and TCP ports (applies also to external entities in onsgmls),
> > and IIRC invoking arbitrary executables (unverified, but in this
> > case /usr/bin/onsglms), reading the WMVS configuration file and maybe
> > more.
> 
> This seems awfully restrictive... I'm wondering if it would be feasible 
> to still provide packages that would clear the dependencies and install 
> most files, without installing the CGI at its final location. The admin 
> would only have to copy/edit a few files for the installation to be 
> complete.
> 
> Would that comply with the FC policy? Would that be useful?

Sort of, but what we'd need is a SELinux policy source snippet sets up a
targeted policy for the "check" script, and instructions how to apply
that snippet to the local SELinux policy.

To avoid inflicting that on users, the policy snippet above would have
to be included in the policy that ships with the OS.  And since 0.7.0 is
somewhat near and may cause the need to modify these policies again, I'd
rather not submit something for inclusion in the OS that might change
soon.  Note: I'm not certain that it will need changes, but then again
I'm not certain that it won't. 

Anyway, FC4 will be out next Monday, and I won't have time to
investigate this more before that, nor can I really promise when I do.
So, the best option right now IMO would be to request pulling the
Validator package from the FC4 Extras repository before that, and
revisit when someone finds time to come up with the exact description of
needed policy adjustments.  Unless someone yells, I'm going to request
the pull tomorrow (to make sure it happens before Monday).

> either way, we'll have to update the installation info.

Right.  This may actually cause more wrinkles: SELinux is going
mainstream into more distributions than just Red Hat's, and users of
more distros will soon face the same problems.  I have no clue how
portable the policy modifications between distros will be, but I'm
currently not too optimistic...

Received on Wednesday, 8 June 2005 06:55:46 UTC