Jeff Schroeder wrote: > On Fri, Dec 12, 2008 at 2:49 PM, Anton Arapov <[email protected]> wrote: > >> On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote: >> >>> On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote: >>> >>>> Anton Arapov wrote: >>>> >>>>> On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote: >>>>> >>>>> >>>>>> Anton Arapov wrote: >>>>>> >>>>>> >>>>>> >>>> Anton, >>>> >>>> I'm pretty sure it's fine for applications to be ensuring that contexts >>>> are set right, so the earlier things seem fine to me, though it also >>>> seems that we would be better served having a SELinux policy written for >>>> koan, and having that shipped with koan (and possibly installed by the >>>> RPM -- or providing instructions for it do so). Perhaps we can follow >>>> that tactic instead? >>>> >>>> This would have the benefit of also being able to move koan out of being >>>> unconfined, which may actually /improve/ security in a few regards >>>> (except of course koan's there to reinstall your system if you use >>>> --replace-self so it's a bit illusory to assume that's why we're doing >>>> it). The policy would need to be very open ended because koan can >>>> install files with it's --update-files feature and also manipulate grub? >>>> >>>> Does that make sense? >>>> >>> Michael, >>> >>> I did some investigations today, and have had a chance to speak >>> to Dan Walsh, our selinux guru. And the concern is that we have >>> mentioned by me selinux restrictions with semanage just because of >>> tricky implementation of the logging(how we log things to >>> ~/.koan/koan.log) and another one, seems we have problem in >>> sub_process, it leaves filedescriptor open.... >>> >>> I will dive into it this weeked and will come up with solution. >>> If there will be the neeed of setting some context to the koan script, >>> probably..... but I do not think so. :) >>> >>> -- Anton >>> >>> >> I'm afraid, I will not have a time to work futher on this next week, >> so sharing what I have: >> >> In order to eliminate the problem with logging, we need to set >> appropriate context to ~/.koan/koan.log or log everything to /var/log >> for example, var_log_t: >> # chcon -v -t var_log_t /root/.koan/koan.log >> >> And if we really care about it, it will be better to create some >> koan's context, may be koan_log_t, and use it. Do we need this? >> Might be we will use /var/log/* in the future? >> > > Ideally, cobbler would do: > import syslog > > syslog(... > > and then cobbler logs would use existing syslog infrastructures. It is > annoying that it doesn't currently for those of us who have big syslog > environments. > > FWIW, we are referring to koan here, but that's a valid point.
We can probably look at tweaking Cobbler and koan's logging to use syslog (either by default or as an option) in a future release. Comments welcome. Meanwhile, file an RFE in Trac so we don't forget -- (fedorahosted.org/cobbler) --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
