Re: Regarding WMVS packages in FC3 and FC4 from olivier Thereaux on 2005-06-27 (public-qa-dev@w3.org from June 2005)

From: olivier Thereaux <ot@w3.org>
Date: Mon, 27 Jun 2005 10:38:49 +0900
To: QA-dev Dev <public-qa-dev@w3.org>
Message-Id: <294cb7579e34e9c6a0551e7e037a52e0@w3.org>

Hi Ville, all,

I finally took some time to check out SELinux, in order to understand 
the issue a bit better. As a first reaction, I am frankly baffled that 
this thing, however certainly useful, could go mainstream in many 
distributions given its level of user/admin/developer-unfriendliness...

On Jun 8, 2005, at 15:57, Ville Skyttä wrote:
>> On May 22, 2005, at 19:57, Ville Skyttä wrote:
>>> Stuff that the current FC4 targeted policy disallows for CGI scripts
>>> includes for example hostname resolution (/etc/resolv.conf, UDP DNS
>>> traffic), fetching the documents to be validated from arbitrary
>>> hostnames and TCP ports (applies also to external entities in 
>>> onsgmls),
>>> and IIRC invoking arbitrary executables (unverified, but in this
>>> case /usr/bin/onsglms), reading the WMVS configuration file and maybe
>>> more.
>
> Sort of, but what we'd need is a SELinux policy source snippet sets up 
> a
> targeted policy for the "check" script, and instructions how to apply
> that snippet to the local SELinux policy.

I guess we'd first need to "audit" (is that the term) the Markup 
Validator on a system running SELinux, and see what happens, e.g what 
gets disallowed and why. Would you be able to do that? Or maybe Terje 
could?

> To avoid inflicting that on users, the policy snippet above would have
> to be included in the policy that ships with the OS.

Might be a stupid idea, but then, might not: wouldn't it be possible to 
do that through the spec file in the packages, somehow?

> Anyway, FC4 will be out next Monday, [...] Unless someone yells, I'm 
> going to request
> the pull tomorrow (to make sure it happens before Monday).

Was it removed?

> This may actually cause more wrinkles: SELinux is going
> mainstream into more distributions than just Red Hat's, and users of
> more distros will soon face the same problems.  I have no clue how
> portable the policy modifications between distros will be, but I'm
> currently not too optimistic...

We'll see. We may need help from our user base, but I'm sure we'll 
manage. We are certainly not the only developers in this case, which 
means that hopefully either there were solutions found already, or 
SELinux will have to be adapted, eventually, to be more friendly to 
CGIs.

-- 
olivier

Received on Monday, 27 June 2005 01:38:54 UTC