- From: Ville Skyttä <ville.skytta@iki.fi>
- Date: Sun, 22 May 2005 13:57:14 +0300
- To: QA-dev <public-qa-dev@w3.org>
The targeted SELinux configuration in Fedora Core 3 and especially the upcoming Fedora Core 4 makes it really hard, and at best fragile if not impossible to provide WMVS packages that would work properly out of the box. A targeted SELinux policy is in effect for both FC3 and 4 by default. The root cause of the problem is that facilities for individual packages to modify the SELinux configuration in a way that would persist after file system relabeling etc simply do not really exist yet. Stuff that the current FC4 targeted policy disallows for CGI scripts includes for example hostname resolution (/etc/resolv.conf, UDP DNS traffic), fetching the documents to be validated from arbitrary hostnames and TCP ports (applies also to external entities in onsgmls), and IIRC invoking arbitrary executables (unverified, but in this case /usr/bin/onsglms), reading the WMVS configuration file and maybe more. Therefore, I'm inclined to request removal of my WMVS FC3 and FC4 packages from the Fedora Extras repositories until it is possible to deploy the needed SELinux policy from the RPMs, or if/until the system default policy allows the Validator to work as intended out of the box. The packages work as is if one runs a FC[34] box with SELinux turned off or into a non-enforcing mode, but that's too much to ask IMO, and I'm sure the Fedora Extras policies would not welcome that idea at all. If this temporary removal happens, the WMVS docs about the RPM availability should be temporarily commented out too, until well-working packages are available again. Thoughts?
Received on Sunday, 22 May 2005 10:54:38 UTC