From: mgrepl@redhat.com (Miroslav Grepl) Date: Wed, 5 Aug 2015 14:19:43 +0200 Subject: [refpolicy] kdbus support In-Reply-To: References: <55BF5F1B.1010002@redhat.com> <55BF6C54.9070806@tycho.nsa.gov> <55BF7BA8.8000905@redhat.com> <55BF8B58.7000100@tycho.nsa.gov> <55BF8E4C.9010706@redhat.com> <55BF8ED7.1000402@tycho.nsa.gov> Message-ID: <55C1FF5F.3050006@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/03/2015 09:28 PM, Paul Moore wrote: > On Mon, Aug 3, 2015 at 11:55 AM, Stephen Smalley wrote: >> On 08/03/2015 11:52 AM, Daniel J Walsh wrote: >>> I am sure the developers would argue that the whole process would ground >>> to a halt. >> >> Seems problematic otherwise, as 1) it shifts the blame for breakage to >> SELinux rather than to the offending change, and 2) it teaches >> developers and users of rawhide to just always disable SELinux to avoid >> such breakage, which only further reinforces the problem. And then >> fixing such issues falls entirely on you and never on the developer who >> made the change. Certainly seems problematic that the maintainer of a >> such a critical package as systemd runs with SELinux disabled... > > I completely agree with Stephen. > > Adding kdbus without the necessary LSM/SELinux support it a security > regression, it's really that simple. While I agree that the systemd > developers seem to be a bit more responsive to SELinux faults than > most developers, there is absolutely no reason why they shouldn't have > done more to ensure the proper LSM/SELinux support. At the very > least, some emails about the kdbus development plans and timing would > have helped greatly. > > As things stand there is almost surely going to be a gap where kdbus > is upstream but it is missing the necessary LSM/SELinux hooks. That > is a very bad thing in my opinion, made worse by the fact that is so > easily could have been avoided with better communication by the kdbus > developers. > I like to see this discussion here. Basically as Dan wrote it was about to avoid unlabeled_t and have rawhide working somehow because it is always important to catch most of issues in this phase. I will create a tracker bug and collect all issues. And this is more easier with kdbusfs_t labeling against unlabeled_t. And of course, this is not something what we will keep in regular Fedora releases. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.