Bug 193156
Summary: | Review Request: devallocator | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | Package Review | Assignee: | David Cantrell <dcantrell> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dcantrell, sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-07-13 19:43:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 197170 |
Description
Daniel Walsh
2006-05-25 18:09:14 UTC
*** Bug 193155 has been marked as a duplicate of this bug. *** Is anyone reviewing this request? Dan I don't believe so. I looked at it, saw "replace hal/udev" and went "out of my league". I followed the URL in the spec and didn't see anything explanatory. It's tough to do a review when you have absolutely no idea what the package is supposed to be doing. This package is required by the EAL4 LSPP Effort going on for RHEL5. Basically the requirement states that all device allocation for a use has to happen manually by the user, and needs to be auditited. So hal/udev combination can not automatically setup a USB device or a rw-cdrom. The user needs to do this manually. Steve could you further elaborate. That functionality does seem pretty scary. Can this not run in conjunction with udev or hal? The %files section looks a little weird. %doc conf/dev_allocator.conf <-- no abs path? leading slashes on %{_libdir} and I think the manfile can be handled with mandir alias. Also, do we really need the .a file? We _really_ don't want things to link statically, unless there is a specific need. The LSPP security target states that no automatic labeling is to be done without the administrator having done it. Dan's statement of replacing udev/hal is somewhat misleading. We can use udev/hal for initial labeling, but we will have to make the init script stop them when init is complete. When the system is operational and ready for users to log in, device allocation must be done manually. For example, you may want to designate a printer for secret documents. Or change it to be Top Secret. We cannot have a hotplug event to come along and change the level. Regarding the review, we just need to make sure it conforms to FC/E guidelines. Updated to fix above comments Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-2.src.rpm Description: This package contains the devallocator tool which is required for LSPP Conformance. When the system is operational and ready for users to log in, device allocation must be done manually. For example, you may want to designate a printer for secret documents. Or change it to be Top Secret. Hotplug events cannot be allowed to change the level. dev_allocator is required to replace hal/udev after system startable. Removable Devices need to be manually allocated by users in an MLS environment. This tool allows for the auditing of these events. Automatic allocation of devices is not allowed in an LSPP environment. Requires(pre) should be Requires(preun) Remove leading slash from /%{_libdir}/libdevallocation.so and /%{_libdir}/libdevallocation.so.* and /%{_libdir}/devallocation/* and /usr/share/devallocation/* Fails to build on x86_64 as the install installs stuff to /usr/lib rather than /usr/lib64. This will need to be fixed. Applied this fixes and fixed to build on x86_64. Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-4.src.rpm RPMLINT just has to say: E: devallocator non-standard-executable-perm /usr/bin/dev_allocator 04755 E: devallocator setuid-binary /usr/bin/dev_allocator root 04755 W: devallocator-devel no-documentation W: devallocator no-reload-entry /etc/rc.d/init.d/devallocator W: devallocator service-default-enabled /etc/rc.d/init.d/devallocator The first two should be addressed or mentioned whats going on, the first warning is somewhat ignorable, same with the second error (although a reload would be nice), and do we want this service enabled by default? Updated to latest upstream version, but I think we are going to pull this from Extras and just build it for RHEL5. Since it really is not for general use on non MLS Machines. Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.7-1.src.rpm removing FE-REVIEW since this has been closed. |