On Wed, Sep 16, 2020 at 04:07:11PM +0200, Ondrej Mosnacek wrote:
> On Thu, Sep 10, 2020 at 6:05 PM Robbie Harwood wrote:
> >
> > Ondrej Mosnacek writes:
> >
> > > James Cassell wrote:
> > >> Ben Cotton wrote:
> > >>
> > >>>
On Thu, Sep 10, 2020 at 6:05 PM Robbie Harwood wrote:
>
> Ondrej Mosnacek writes:
>
> > James Cassell wrote:
> >> Ben Cotton wrote:
> >>
> >>> https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
> >>>
> >>> == Summary ==
> >>> Remove support for SELinux runtime
Ondrej Mosnacek writes:
> James Cassell wrote:
>> Ben Cotton wrote:
>>
>>> https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
>>>
>>> == Summary ==
>>> Remove support for SELinux runtime disable so that the LSM hooks can
>>> be hardened via
On Thu, Sep 10, 2020 at 4:05 PM Michal Schorm wrote:
> On Thu, Sep 10, 2020 at 3:58 PM Ondrej Mosnacek wrote:
> > On Thu, Sep 10, 2020 at 3:48 PM Michal Schorm wrote:
> > > Does this mean, the "setenforce 0" won't work anymore?
> > No, no, don't worry, "setenforce 0" (i.e. switching SELinux to
On Thu, Sep 10, 2020 at 03:46:38PM +0200, Michal Schorm wrote:
> Does this mean, the "setenforce 0" won't work anymore?
No, setenforce will not be affected by this change.
> I use it quite a lot to examine the denials and audit2allow to
> generate updated rules which fixes my issues.
>
> I
On Thu, Sep 10, 2020 at 3:58 PM Ondrej Mosnacek wrote:
> On Thu, Sep 10, 2020 at 3:48 PM Michal Schorm wrote:
> > Does this mean, the "setenforce 0" won't work anymore?
> No, no, don't worry, "setenforce 0" (i.e. switching SELinux to
> "Permissive" mode) would not be affected and would work as
On Thu, Sep 10, 2020 at 3:48 PM Michal Schorm wrote:
> Does this mean, the "setenforce 0" won't work anymore?
No, no, don't worry, "setenforce 0" (i.e. switching SELinux to
"Permissive" mode) would not be affected and would work as before.
The proposal is only about fully disabling SELinux.
On Thu, Sep 10, 2020 at 2:28 PM Richard Hughes wrote:
> On Thu, 10 Sep 2020 at 12:38, Neal Gompa wrote:
> > Because Red Hat customers put the SELinux policy developers into
> > no-win situations: they complain about AVC denials that don't actually
> > significantly break anything in *their* app
Does this mean, the "setenforce 0" won't work anymore?
I use it quite a lot to examine the denials and audit2allow to
generate updated rules which fixes my issues.
I would see the inability of such workflow as a major drawback for
*anyone* who doesn't just consume the default configuration.
e.g.
On Wed, Sep 09, 2020 at 10:24:00AM +0200, Vít Ondruch wrote:
> Generally, I would appreciate if the proposal was more readable to
> casual Fedora user/developer. I don't think there is clearly described
> the current state and what is going to be changed. Also, there is a lot
> of unclear
On Thu, Sep 10, 2020 at 7:38 AM Neal Gompa wrote:
>
> On Thu, Sep 10, 2020 at 7:33 AM Richard Hughes wrote:
> >
> > On Thu, 10 Sep 2020 at 10:17, Tom Hughes wrote:
> > > > Speaking from personal experience, I've wasted days over the last
> > > > decade trying to debug a locally installed system
On Thu, 10 Sep 2020 at 12:38, Neal Gompa wrote:
> Because Red Hat customers put the SELinux policy developers into
> no-win situations: they complain about AVC denials that don't actually
> significantly break anything in *their* app
My response to that would be to ship a "AVC ignore-list"
On Thu, Sep 10, 2020 at 7:33 AM Richard Hughes wrote:
>
> On Thu, 10 Sep 2020 at 10:17, Tom Hughes wrote:
> > > Speaking from personal experience, I've wasted days over the last
> > > decade trying to debug a locally installed system service that was not
> > > working where there were no
On Thu, 10 Sep 2020 at 10:17, Tom Hughes wrote:
> > Speaking from personal experience, I've wasted days over the last
> > decade trying to debug a locally installed system service that was not
> > working where there were no messages in any of the logs (e.g. no AVCs)
> > -- and turning off
On Thu, Sep 10, 2020 at 11:18 AM Tom Hughes via devel
wrote:
> On 10/09/2020 09:44, Richard Hughes wrote:
> > On Tue, 8 Sep 2020 at 16:29, Ben Cotton wrote:
> >> NOTE: Runtime disable is considered deprecated by upstream, and using
> >> it will become increasingly painful (e.g.
On Thu, Sep 10, 2020 at 11:18 AM Florian Weimer wrote:
> * Ben Cotton:
>
> > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
> >
> > == Summary ==
> > Remove support for SELinux runtime disable so that the LSM hooks can
> > be hardened via
On 10/09/2020 09:44, Richard Hughes wrote:
On Tue, 8 Sep 2020 at 16:29, Ben Cotton wrote:
NOTE: Runtime disable is considered deprecated by upstream, and using
it will become increasingly painful (e.g. sleeping/blocking) through
future kernel releases until eventually it is removed completely.
* Ben Cotton:
> https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
>
> == Summary ==
> Remove support for SELinux runtime disable so that the LSM hooks can
> be hardened via read-only-after-initialization protections.
>
> Migrate users to using ''selinux=0'' if they
On Tue, 8 Sep 2020 at 16:29, Ben Cotton wrote:
> NOTE: Runtime disable is considered deprecated by upstream, and using
> it will become increasingly painful (e.g. sleeping/blocking) through
> future kernel releases until eventually it is removed completely.
Speaking from personal experience,
Hi James,
On Tue, Sep 8, 2020 at 8:43 PM James Cassell
wrote:
> On Tue, Sep 8, 2020, at 11:28 AM, Ben Cotton wrote:
> > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
> >
> > == Summary ==
> > Remove support for SELinux runtime disable so that the LSM hooks can
Generally, I would appreciate if the proposal was more readable to
casual Fedora user/developer. I don't think there is clearly described
the current state and what is going to be changed. Also, there is a lot
of unclear terminology, e.g. I don't have idea what are "LSM hooks".
"Migrate users to
On Tue, Sep 8, 2020, at 11:28 AM, Ben Cotton wrote:
> https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
>
> == Summary ==
> Remove support for SELinux runtime disable so that the LSM hooks can
> be hardened via read-only-after-initialization protections.
>
>
https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
== Summary ==
Remove support for SELinux runtime disable so that the LSM hooks can
be hardened via read-only-after-initialization protections.
Migrate users to using ''selinux=0'' if they want to disable SELinux.
https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
== Summary ==
Remove support for SELinux runtime disable so that the LSM hooks can
be hardened via read-only-after-initialization protections.
Migrate users to using ''selinux=0'' if they want to disable SELinux.
24 matches
Mail list logo