Bug 840679
Summary: | Removal of SELinux policy modules for software not delivered by RHEL | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.3 | CC: | dwalsh, mmalik |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-09 12:34:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 782183 |
Description
Robert Scheck
2012-07-16 21:49:55 UTC
Cross-filed case 00678456 in the Red Hat Customer Portal. I disagree, removing the policy will not solve the problem, since a confined application that we do ship like apache will need to interact with the domains. I guess we could move to shipping policies that are unconfined for third party products. In your example of clamav and amavisd, these apps interact with all of our mailers, postfix, other spam filters excetera, Removing the policy will not solve the problem of handling these interactions. If I get you right, the SELinux policy is currently not that modular anymore? My thought was, that everything for clamav would be in it's own module which can be installed from EPEL, too. Right now, the clamav SELinux policy module is part of RHEL, while clamav is only in EPEL, not in RHEL. Couldn't this be more fine splitted? Well the policy is still modular. You should be able to disable non-base modules (most of them) => policy is modular If you disable/remove a module, a service will run as initrc_t for example. But if a daemon with a domain needs to talk with this service which is now initrc_t, you will see AVC msgs. Why does RHEL ship policy modules for software it does not ship? Would it not make more sense to ship each policy module which each software? Like Postfix ships the SELinux policy module for postfix. Means the clamav policy module is in that case from EPEL, because clamav is from EPEL, too. Means, I would not to mess up with the support team claiming that clamav is not supported by RHEL for example. clamav or any other package is welcome to ship policy with their package. Several packages have attempted to do this in the past, but most have asked us to take over management of them, because the owners do not understand how policy works or it becomes easier as interaction between different domains, can cause problems. If you want to add policy to clamav to fix the problem and now wait for the next rhel update to fix, you are welcome to do so. We have always shipped policy for domains not shipped with Red Hat since we see interaction between domains that we do ship, like a confined domain interacting with a virus detector application. I dislike the current situation, because SELinux policy updates in RHEL are just slow. Most of them are delayed till the next RHEL minor release simply, which for example also applied and applies to nearly all of my open tickets/ reports. Opening tickets in the Red Hat Customer Portal does not speed up... Case 00695178 is a good example that the inclusion of SELinux policy modules for software that you don't ship sucks. Now somebody is evaluating if a clamav SELinux policy update can or will be included for the next SELinux package. And if we did not have this, it would suck more, because all of the mail programs and other tools that are plugged into clamav would break. We release preliminary polcies on http://people.redhat.com/dwalsh/SELinux/RHEL6 And I have no problems pushing policy out quicker if people believe this is a good idea. |