Re: Selinux in development releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/25/2012 11:11 AM, john.flor...@dart.biz wrote: >> From: "Jason L Tibbitts III" I'm something of an >> idiot when it comes to selinux; I used to know just enough to get a >> reasonable bug report out, but now I've even forgotten most of that. I >> do know, however, that turning off dontaudit rules can save your sanity, >> because _way_ too much stuff fails silently. Which is a horrible bug in >> itself but it seems to be by design. > > I concur. I suppose there's a good reason to not log some of these, but > I've nearly lost my sanity more than once with these squelched messages. > Life improved only once I realized my testing was missing 'setenforce 0' to > see if that had any effect. > > -- John Florian > > When this has happened please open a bug because we could be too liberal with our dontaudit rules. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBhysYACgkQrlYvE4MpobMoaQCfSDmP65PG1CYBMiyj+iScBlUh ftAAni6ssZZG54NMxsPdERbIwsI0O1eL =/Ufe -END PGP SIGNATURE- -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
> From: john.flor...@dart.biz > I was going to suggest that this should be noted at http:// > fedoraproject.org/wiki/SELinux/Troubleshooting, but I see it already > is. Perhaps I should start reading all of my mail before responding to any of it. Anyway, I'm very happy to see the addition on that page. -- John Florian -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
> From: "Jason L Tibbitts III" > I'm something of an idiot when it comes to selinux; I used to know just > enough to get a reasonable bug report out, but now I've even forgotten > most of that. I do know, however, that turning off dontaudit rules can > save your sanity, because _way_ too much stuff fails silently. Which is > a horrible bug in itself but it seems to be by design. I concur. I suppose there's a good reason to not log some of these, but I've nearly lost my sanity more than once with these squelched messages. Life improved only once I realized my testing was missing 'setenforce 0' to see if that had any effect. -- John Florian -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
> From: "Jason L Tibbitts III" > > "JF" == John Florian writes: > > JF> I do wish there was some master switch to temporarily enable logging > JF> for them. > > You mean, besides the existing "disable dontaudit rules" switch? Just > run "semoduile -DB". It's pretty much mandatory to do that first when > debugging selinux problems. > No, that would be the one I'd want and was completely unaware of. ;-) I was going to suggest that this should be noted at http://fedoraproject.org/wiki/SELinux/Troubleshooting, but I see it already is. This just proves what I was saying about Dan's superhuman response times. He can somehow introduce just requested features prior to the present time! =) Regardless of how dumb I feel right now, thanks so much for pointing that out. -- John Florian -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/25/2012 08:42 AM, Matthew Miller wrote: > On Tue, Sep 25, 2012 at 07:21:32AM -0500, Jason L Tibbitts III wrote: >> You mean, besides the existing "disable dontaudit rules" switch? Just >> run "semoduile -DB". It's pretty much mandatory to do that first when >> debugging selinux problems. > > Could this be added to > http://fedoraproject.org/wiki/SELinux/Troubleshooting? > > Seems like a lot of blog entries could be added to this page. Setting up Permissive Domains. Setting up unconfined domains. Disabling DontAudit rules. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBhuKEACgkQrlYvE4MpobOlcACfXoT8uhFE+BYA5ziORpPHIi1W TawAoMyyac8r/9S7vBnouCl0SjUVeYVU =LdQ0 -END PGP SIGNATURE- -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/25/2012 08:42 AM, Matthew Miller wrote: > On Tue, Sep 25, 2012 at 07:21:32AM -0500, Jason L Tibbitts III wrote: >> You mean, besides the existing "disable dontaudit rules" switch? Just >> run "semoduile -DB". It's pretty much mandatory to do that first when >> debugging selinux problems. > > Could this be added to > http://fedoraproject.org/wiki/SELinux/Troubleshooting? > > Most of that info is ancient, but I did update it somewhat. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBhuAkACgkQrlYvE4MpobMzEQCfXcVDMa7vfoA0Zun31Th7LOOu b58An0el2e8+Lp1TV/nkyfFBxFKycsJE =nO7Z -END PGP SIGNATURE- -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
> "MM" == Matthew Miller writes: MM> Of course. However, it might be better if someone who has better MM> understanding of exactly what that does and how to use it (e.g., MM> Jason) would do it, including adding a little bit of surrounding MM> text. I'm just aping one of Dan's old blog entries: http://danwalsh.livejournal.com/11673.html I'm something of an idiot when it comes to selinux; I used to know just enough to get a reasonable bug report out, but now I've even forgotten most of that. I do know, however, that turning off dontaudit rules can save your sanity, because _way_ too much stuff fails silently. Which is a horrible bug in itself but it seems to be by design. - J< -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On Tue, Sep 25, 2012 at 12:55:19PM +, "Jóhann B. Guðmundsson" wrote: > >On Tue, Sep 25, 2012 at 07:21:32AM -0500, Jason L Tibbitts III wrote: > >>>You mean, besides the existing "disable dontaudit rules" switch? Just > >>>run "semoduile -DB". It's pretty much mandatory to do that first when > >>>debugging selinux problems. > >Could this be added to > >http://fedoraproject.org/wiki/SELinux/Troubleshooting? > It's an wiki just log in and add it. Of course. However, it might be better if someone who has better understanding of exactly what that does and how to use it (e.g., Jason) would do it, including adding a little bit of surrounding text. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On 09/25/2012 12:42 PM, Matthew Miller wrote: On Tue, Sep 25, 2012 at 07:21:32AM -0500, Jason L Tibbitts III wrote: >You mean, besides the existing "disable dontaudit rules" switch? Just >run "semoduile -DB". It's pretty much mandatory to do that first when >debugging selinux problems. Could this be added to http://fedoraproject.org/wiki/SELinux/Troubleshooting? It's an wiki just log in and add it. JBG -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On Tue, Sep 25, 2012 at 07:21:32AM -0500, Jason L Tibbitts III wrote: > You mean, besides the existing "disable dontaudit rules" switch? Just > run "semoduile -DB". It's pretty much mandatory to do that first when > debugging selinux problems. Could this be added to http://fedoraproject.org/wiki/SELinux/Troubleshooting? -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
> "JF" == John Florian writes: JF> I do wish there was some master switch to temporarily enable logging JF> for them. You mean, besides the existing "disable dontaudit rules" switch? Just run "semoduile -DB". It's pretty much mandatory to do that first when debugging selinux problems. - J< -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
> From: "Jóhann B. Guðmundsson" > To: test@lists.fedoraproject.org > Date: 09/24/2012 16:25 > Subject: Re: Selinux in development releases > Sent by: test-boun...@lists.fedoraproject.org > > On 09/24/2012 08:16 PM, drago01 wrote: > > On Mon, Sep 24, 2012 at 10:13 PM, "Jóhann B. Guðmundsson" > > wrote: > >> I hereby propose that we default selinux to permissive mode up to final > >> which should just get rid of unneeded nuance during testing. > > -1 > > > > This would just mean we test something different then we actually > > ship. If there are selinux bugs they are supposed to be cough during > > testing and reported like any other bugs. > > With permissive mode we should still be able to catch all those errors > and report them without all the downside that comes with having it in > enforcing mode during our development releases... Not true from what I've witnessed. There are certain rules that indeed block some action, but do not get logged. I've encountered several over the years and was only able to detect these by toggling enforcing/permissive. I do wish there was some master switch to temporarily enable logging for them. I concur that Dan is superhuman in his response times. -- John Florian -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On 09/25/2012 02:10 AM, Daniel J Walsh wrote: Definitely not. Enforcing mode and Permissive mode are not equivalent. SELinux/Permission Denied can cause things to crash. I have been working since last week on SELinux/Systemd problems that happen in early boot, and would only be seen in enforcing mode. For some reason avc messages were not showup in early boot, so no one would have known about it. Interesting those errors not even caught by the journal? Dontaudit rules can cover up messages that cause applications bugs. I see We have been working with SELinux in enforcing mode for years now, why change now. We also have had several release without selinux running so we have two data points to measure with. The reason why I suggested this is to keep the entry level for reporters as low as possible so running selinux in permissive mode would have yielded the same result, we would have been able to still gather the necessary data without leaving the reporter with potentially unbootable system. I guess we could just create an wiki page that reporters could use on the side encase they need it. Ever since the introduction of systemd we have had more *severe* cases of selinux issues in the alpha phaze which seems to be mostly due to the systemd team not given the selinux team an heads up about some of the changes they have made or about to make. ( nothing that could not be solved with all the teams that make up CoreOS ( Kernel,Dracut,Systemd and arguably Selinux ) meeting and discussing what's going to happen next development cycle over a cold beer or good cognac ) Anyway given your input + -1 from drago01 ( whatever his or hers real name is ),Michael and Adams W. I think this proposal has been officially nack-ed ( Unless some others from the QA community have something more valuable to add to the discussion ) JBG -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On Mon, 2012-09-24 at 20:13 +, "Jóhann B. Guðmundsson" wrote: > I hereby propose that we default selinux to permissive mode up to final > which should just get rid of unneeded nuance during testing. for the record, I'm -1 for the reasons stated later in the thread. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/24/2012 04:23 PM, "Jóhann B. Guðmundsson" wrote: > On 09/24/2012 08:16 PM, drago01 wrote: >> On Mon, Sep 24, 2012 at 10:13 PM, "Jóhann B. Guðmundsson" >> wrote: >>> I hereby propose that we default selinux to permissive mode up to >>> final which should just get rid of unneeded nuance during testing. >> -1 >> >> This would just mean we test something different then we actually ship. >> If there are selinux bugs they are supposed to be cough during testing >> and reported like any other bugs. > > With permissive mode we should still be able to catch all those errors and > report them without all the downside that comes with having it in enforcing > mode during our development releases... > > JBG Definitely not. Enforcing mode and Permissive mode are not equivalent. SELinux/Permission Denied can cause things to crash. I have been working since last week on SELinux/Systemd problems that happen in early boot, and would only be seen in enforcing mode. For some reason avc messages were not showup in early boot, so no one would have known about it. Dontaudit rules can cover up messages that cause applications bugs. We have been working with SELinux in enforcing mode for years now, why change now. Do you have specific errors that SELinux is causing in Fedora 18? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBhEpAACgkQrlYvE4MpobOi3ACg0sP2FGp1DbfX4knGU5nArkHh 18sAoOKKA5V/VPpQdXcZO1nyxlwzEjAG =fp0T -END PGP SIGNATURE- -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On 09/24/2012 09:39 PM, Michael Cronenworth wrote: Good. I know I'm Mr. Nobody here, but his answer would be definitive. There is no Mr. Nobody in the QA community ;) Having selinux in permissive mode ( especially during alpha ) is from my pov more likely to hinder participation than to increase it. And this has been exceptionally bad since the introduction of systemd and most notable because of lack of communication from the three amigos to Dan. ( they make changes without notifying Dan about it, not giving him enough time to act on it ) JBG -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
"Jóhann B. Guðmundsson" wrote: > This bug is filed against RHEL in any case just have it in permissive > mode up to beta should suffice and prevent any RC_N surprises Jóhann, I didn't blindly post the first bug I found. I ran into this bug on a Fedora system, which is the only reason I knew about it in the first place. If you read the bug comments you will find: * With Enforcing: No AVC messages were output, but dirsrv-admin could not be started * With Permissive: No AVC messages where output, but dirsrv-admin started If you default to Permissive then you *will* miss possible policy bugs. Some of these are hidden in "dontaudit" messages such as the bug I linked. > > It would be good to get feed back from Dan what's his taken on this Good. I know I'm Mr. Nobody here, but his answer would be definitive. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On 09/24/2012 09:21 PM, Michael Cronenworth wrote: "Jóhann B. Guðmundsson" wrote: Do you have any reference for such bugs that only happen when selinux is in enforcing mode but not when it is in enforcing mode? Yes, here is one bug[1] to get you started. [1] https://bugzilla.redhat.com/show_bug.cgi?id=638511 This bug is filed against RHEL in any case just have it in permissive mode up to beta should suffice and prevent any RC_N surprises It would be good to get feed back from Dan what's his taken on this JBG -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
"Jóhann B. Guðmundsson" wrote: > Do you have any reference for such bugs that only happen when selinux is > in enforcing mode but not when it is in enforcing mode? Yes, here is one bug[1] to get you started. [1] https://bugzilla.redhat.com/show_bug.cgi?id=638511 -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On 09/24/2012 08:19 PM, Michael Cronenworth wrote: drago01 wrote: This would just mean we test something different then we actually ship. If there are selinux bugs they are supposed to be cough during testing and reported like any other bugs. +1 There are instances of SELinux rules (bug or intentional) that only occur under Enforcing. The SELinux team is very speedy IMHO. Do you have any reference for such bugs that only happen when selinux is in enforcing mode but not when it is in enforcing mode? Yeah the whole project is aware of Dan's superhuman ability to quickly fix things through and during our release and development cycles. A while back I suggested he should be offered a metal for his efforts. JBG -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On 09/24/2012 08:16 PM, drago01 wrote: On Mon, Sep 24, 2012 at 10:13 PM, "Jóhann B. Guðmundsson" wrote: I hereby propose that we default selinux to permissive mode up to final which should just get rid of unneeded nuance during testing. -1 This would just mean we test something different then we actually ship. If there are selinux bugs they are supposed to be cough during testing and reported like any other bugs. With permissive mode we should still be able to catch all those errors and report them without all the downside that comes with having it in enforcing mode during our development releases... JBG -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
drago01 wrote: > This would just mean we test something different then we actually > ship. If there are selinux bugs they are supposed to be cough during > testing and reported like any other bugs. +1 There are instances of SELinux rules (bug or intentional) that only occur under Enforcing. The SELinux team is very speedy IMHO. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Selinux in development releases
On Mon, Sep 24, 2012 at 10:13 PM, "Jóhann B. Guðmundsson" wrote: > I hereby propose that we default selinux to permissive mode up to final > which should just get rid of unneeded nuance during testing. -1 This would just mean we test something different then we actually ship. If there are selinux bugs they are supposed to be cough during testing and reported like any other bugs. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test