Bug 1250079
Summary: | Provide default-yama-scope to unbreak elfutils-libs and tools | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mark Wielaard <mjw> |
Component: | elfutils | Assignee: | Mark Wielaard <mjw> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | aoliva, fche, jakub, jan.kratochvil, me, mitr, mjw, pmoore, roland, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | elfutils-0.163-3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-17 22:24:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1209492 | ||
Bug Blocks: |
Description
Mark Wielaard
2015-08-04 13:24:51 UTC
Proposed upstream patch: https://lists.fedorahosted.org/pipermail/elfutils-devel/2015-August/005079.html New package with above patch applied now available in rawhide. http://koji.fedoraproject.org/koji/taskinfo?taskID=10600439 Will backport to f22 after some testing. Please see BZ 1209492#c74, I think we should ship a "yama-config-disable" as a independent package, not as part of elfutils or any other package. (In reply to Paul Moore from comment #3) > Please see BZ 1209492#c74, I think we should ship a "yama-config-disable" as > a independent package, not as part of elfutils or any other package. I replied there. I don't think that is necessary. Lets just test the current package in rawhide and then provide it for f22 once it works as expected. I strongly disagree, see my comments in BZ #1209492 Silently changing system-wide security policy as an additional dependency of an effectively mandatory package (systemd-libs requires: elfutils-libs) in the middle of F22 lifetime is a _really_ bad idea. I appreciate that you your package to “just work” but this is not a reasonable way to go about it. Either the kernel functionality change was an ABI breakage unwanted at the time, that should be fixed in the kernel, or it was an acceptable thing to change in F22, and then it is unacceptable to silently open up access against possible wishes of administrators who thought they were protected. Reverting the kernel configuration would be a much more appropriate fix for F22, and I guess F23 too at this point. User space need to be ready for something like this *before* you make the kernel enforce stricter ptrace control. Papering over it with a config file delivered via a new rpm package seem like a very cumbersome way to go about it. Simo, I agree, but absent other options (FESCO involvement to request the kernel revert), this seemed the least bad way. I certainly also agree there were different ways to fix this. My personal preference would also have been to directly fix this in the kernel package. And if you read the original bug report (bug #1209492) you'll see several other suggestions for fixes. In the end the consensus was that having a separate package to provide a default-yama-config that packages that need it depend on was seen as the best solution. I don't believe anybody is really enthusiastic about it. But given all other options were considered worse, or unacceptable, this is what we got. Comments and better suggestions on the original bug #1209492 certainly welcome. |