Re: Regarding WMVS packages in FC3 and FC4 from Ville Skyttä on 2005-06-27 (public-qa-dev@w3.org from June 2005)

From: Ville Skyttä <ville.skytta@iki.fi>
Date: Mon, 27 Jun 2005 12:11:35 +0300
To: QA-dev Dev <public-qa-dev@w3.org>
Message-Id: <1119863495.22291.201.camel@localhost.localdomain>

On Mon, 2005-06-27 at 10:38 +0900, olivier Thereaux wrote:

> I finally took some time to check out SELinux, in order to understand 
> the issue a bit better. As a first reaction, I am frankly baffled that 
> this thing, however certainly useful, could go mainstream in many 
> distributions given its level of user/admin/developer-unfriendliness...

Seconded.  But it's there, not only in distrbutions, but AFAIK vanilla
upstream kernel nowadays too.

> I guess we'd first need to "audit" (is that the term) the Markup 
> Validator on a system running SELinux, and see what happens, e.g what 
> gets disallowed and why. Would you be able to do that? Or maybe Terje 
> could?

That part is pretty trivial.  Just install the validator on a machine
that has SELinux in enforcing mode, then set SELinux into permissive
mode ("/usr/sbin/setenforce 0" on the fly or SELINUX=permissive
to /etc/selinux/config to get it applied after boot), and start using
the validator, watching /var/log/audit/audit.log on FC4
or /var/log/messages on FC3.

I've already done a part of this; I don't claim it to be complete or
error free, but it's a start.  See the commentary in the %prep section
of the specfile at
http://cvs.fedora.redhat.com/viewcvs/rpms/w3c-markup-validator/devel/w3c-markup-validator.spec?root=extras&rev=.&view=auto

I think I can do something about this this week, as I would like to test
0.7.0a2 on my FC4 box.

> > To avoid inflicting that on users, the policy snippet above would have
> > to be included in the policy that ships with the OS.
> 
> Might be a stupid idea, but then, might not: wouldn't it be possible to 
> do that through the spec file in the packages, somehow?

I tend to think theoretically yes.  But every time I've seen someone ask
it on the Fedora Extras or SELinux lists, the answer has been more or
less a blunt "this is not currently doable, wait until we have the
official way figured out".  I guess in the strict meaning of the word,
it is _doable_ now, but maybe just seen as ugly and thus frowned upon.
Or then again I might be missing something.

> > Anyway, FC4 will be out next Monday, [...] Unless someone yells, I'm 
> > going to request
> > the pull tomorrow (to make sure it happens before Monday).
> 
> Was it removed?

Yes, from FC4 and FC5 devel, for now.  It's still in FC3, but I have a
open ticket on that, it doesn't work there either:
https://bugzilla.redhat.com/149454

Received on Monday, 27 June 2005 09:11:39 UTC