| 1 |
I run no-multilib and can offer to test postgres standalone for you. |
| 2 |
But given that I run no-multilib I do not know if I can help until |
| 3 |
that bug is fixed. |
| 4 |
|
| 5 |
-- Matthew Thode |
| 6 |
|
| 7 |
On Thu, Mar 17, 2011 at 17:33, Sven Vermeulen <sven.vermeulen@××××××.be> wrote: |
| 8 |
> On Thu, Mar 17, 2011 at 01:14:02PM -0400, Anthony G. Basile wrote: |
| 9 |
>> I'm think we should go for stabilization --- I'm not sure how since the |
| 10 |
>> arch teams are going to say they really can't test this for us, and as |
| 11 |
>> they did with other packages, will probably defer the judgment back to |
| 12 |
>> us. If we do, we should take this responsibility very seriously because |
| 13 |
>> the arch teams, if nothing else, are a double check on our work. |
| 14 |
> |
| 15 |
> For the time being, I'm focusing my attention on server-side testing: |
| 16 |
> integrated virtual environments running bind, openldap for authentication |
| 17 |
> with replication, a load-balanced apache setup offering squirrelmail access |
| 18 |
> to a virtual mailhosting setup (postfix/courier) and a standalone postgres |
| 19 |
> (still looking for something nice to fully test postgres with). |
| 20 |
> |
| 21 |
> I'm extending the environment with more and more services so that I have |
| 22 |
> some testing environments for most of the servers (for instance, I have a |
| 23 |
> build server that uses lighttpd) for which we have policies. |
| 24 |
> |
| 25 |
> However, |
| 26 |
> - I'm focussing on strict policy (no unconfined domains) which is a major |
| 27 |
> shortage as we definitely want to support unconfined as well. |
| 28 |
> - Although I run my desktops with SELinux strict as well, I'm hardly what |
| 29 |
> can be called a multimedia-user: apart from firefox and skype, all |
| 30 |
> utilities I use are mostly command-line ;-) So support for |
| 31 |
> desktop-oriented SELinux might still be lacking stuff. |
| 32 |
> |
| 33 |
> The reasons are fairly simple: |
| 34 |
> - Strict allows us to focus on the policy itself and, in theory, if a strict |
| 35 |
> policy works well, unconfined should work well too as far as the same |
| 36 |
> activities are concerned. |
| 37 |
> - Desktop applications are far too difficult to automatically test |
| 38 |
> (regressions), which leads me to |
| 39 |
> - I hardly have the time to run manual tests ;-) |
| 40 |
> |
| 41 |
> Of course, when there are bugs (for instance with unconfined) it's a small |
| 42 |
> step to convert to the targeted policy and verify if it is reproduceable |
| 43 |
> (like it was with that pesky bug you mentioned in the beginning of your |
| 44 |
> mail). |
| 45 |
> |
| 46 |
>> So far I see only a few bugs that need addressing still in bugzilla. |
| 47 |
>> (The bug reports are a bit disorganized because of how they were |
| 48 |
>> assigned. We're going to be assigning selinux bugs to |
| 49 |
>> selinux@g.o for easy lookup.) |
| 50 |
>> |
| 51 |
>> I think these are blockers to stabilization. Any others you want to add |
| 52 |
>> to the list? |
| 53 |
>> |
| 54 |
>> #355675 - No brainer. I'll test the patch there this afternoon and put |
| 55 |
>> it on the tree later if it works. |
| 56 |
>> |
| 57 |
>> #346563 - sounds like a profile problem, but I'm not sure its valid |
| 58 |
> |
| 59 |
> If we go for stabilization (and I wouldn't mind, as most additional servers |
| 60 |
> that I'm setting up hardly require updates on the policy) we should push the |
| 61 |
> SELinux Hardened Handbook (currently in hardened-doc.git) as well as the |
| 62 |
> SELinux FAQ. Also, the moment we stabilize, can we please get the |
| 63 |
> "loadpolicy" stuff out of our profile (selinux/make.defaults) ;-) |
| 64 |
> |
| 65 |
> Anyhow, #346563 is about that weird multilib/nomultilib situation. SELinux |
| 66 |
> profiles currently enable multilib and "-multilib" (aka "no-multilib") is |
| 67 |
> for the time being not supported. But we might need to focus on this in the |
| 68 |
> near future as I would assume in server environments no-multilib is |
| 69 |
> preferred. |
| 70 |
> |
| 71 |
> Wkr, |
| 72 |
> Sven Vermeulen |
| 73 |
> |
| 74 |
> |
Archives