Re: How vulnerable can it be?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Peter Gordon wrote:

Jim Cornette wrote:

[2] SELinux set to enforced

It is safer for correct install to set SELinux to permissive during
updates. There could be issues with %post and %pre scriptlets when
running rpm, yum or other dep solver/installers.


Would you expand on this a bit please? Every Fedora install I've done
since I resumed it as my distro of choice soon after FC4's release has
been with the targeted policy running in Enforcing mode, and I've had no
noticable errors with RPM scriptlets. Thanks.
Throughout participation with rawhide and also reading earlier postings regarding problems with scriptlets failing with yumex, I do not want to continually police my system for duplicate rpm listings, missing files from rpms or wrong permissions set on files.
When the policies are setup correctly, scriptlets are not a problem related to SELinux influences. When the SELinux policies are not set correctly, updating resembles any threat that you are trying to prevent from happening. 

For my personal encounter with selinux in enforcing during upgrade.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177883
Also, we discussed duplicate packages causing errors on the development list. Steve Grubb worked out with others feedback on the list a script that can be run and detects duplicate or mismatched packages. It makes allowances for kernel and public keys to not show in the output. 

I posted it on the fedoraproject.org wiki

http://fedoraproject.org/wiki/JimCornette?action=AttachFile&do=get&target=sg-dupes-mv.sh
I have selinux in enforcing when not updating. I do sometimes forget to put SELinux in permissive until after the update. Running the script above, I get one multirevision of an rpm as listed below. 

 ~/sg-dupes-mv.sh
Searching for duplicates
Duplicates were found:
librsvg2-2.15.0-1
librsvg2-2.15.0-3
I tried to not blame anything on SELinux by backing down to "safer" for terminology vs. "I would not update when in enforcing mode", which is a personal choice for me. 

Jim

--
A team effort is a lot of people doing what I say.
		-- Michael Winner, British film director
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux