On Tue, 2006-11-28 at 10:12 -0500, Gene Heskett wrote: > On Tuesday 28 November 2006 07:31, Craig White wrote: > >---- > >The update wasn't the issue...you installed another snapshot of amanda - > >all files without contexts for SELinux I would bet. > > > Of course its from the tarball, built right here, I'm a tester. Whats > wrong with that? ---- nothing but being a tester means that you have the tools to actually test or can acquire the skills to necessary to properly install test snapshot - and this includes the nuances of the host build system. ---- > > >One of the issues you are going to have with installing stuff from > >source is that none of those files will have the proper contexts for > >SELinux and you are either going to have to actually learn how to live > >with SELinux or just shut if off. > > > >Blaming errors on the packages when you don't understand what you are > >doing makes you look rather foolish. > > I'm not blaming the errors on the amanda packaging Craig as I haven't used > a packaged amanda in at least 5 years. But I damned sure do object to > building it right here on this box where its going to run, using the > tools supplied with the distribution, only to have selinux decide its not > safe to run it even if its (theoreticly) set to permissive. That to me > is a tool error and goes back to both selinux and the compiler suite. > And maybe should be bugzilla'd. OTOH, I've been a fool before, one who > believes that this crap should Just Work(TM). ---- I suppose that if you want to provide evidence that demonstrates that having selinux set to permissive was still blocking it from working (on bugzilla), then the developers would have a chance to fix whatever is blocking it from working. Until then, your complaints are anecdotal. ---- > > Does this mean I have to reboot and relabel the system everytime I install > a new version of amanda to test it? > > If so, that does rather label linux's extended uptime claims as a lie from > the gitgo now doesn't it? ---- I previously supplied the link to the information on SELinux to you the first time you got in a tizzy and I will supply it again... http://fedora.redhat.com/docs/selinux-faq-fc5/ If you want to relabel the entire file system - that is a prerogative that you enjoy but clearly not the only method available to you. Knowledge is power...perhaps you want to absorb the information on the above since 'local policy' is likely to be more enduring. Learning how to use tools such as chcon might also prove useful. ---- > Now lets see if the problem can be fixed within the framework of this PITA > called selinux. > > Is there a method that I can use to relabel a freshly built snapshots > whole src+object tree before I become root to do the make install? If > there is, then I'll just incorporate it right into the build script I've > been using for years. That would be the ideal situation IMO. ---- Your opinion is just one opinion. You can set file security contexts at any point along the way but they might change depending upon how they are moved and what contexts already exist. I would presume that it's more common to fix file contexts after the files are copied to their final location, again, either through policy, by existing tools or by a complete relabel of the file system. If you were familiar with rpm building, you could probably alleviate many of your problems with contexts and upgrades and post install scripts. By the way, it's pretty easy to build rpm's from a tarball...what you need is a spec file. My guess is that someone unwilling to spend the time and energy learning how to operate with SELinux isn't going to spend the time learning to use rpm-build since he's already figured out ./configure && make && make test && make install Here's a hint...get the current SRPM for amanda and modify the spec file. Also, I find it really hard to believe that someone who logs in as root, runs GUI as root actually changes to another user to ./configure && make && make test before changing back to root to make install. ---- > > What I'm saying, nay demanding, is that selinux isn't to be sensitive to > this. We can fix the build system, or we can fix selinux by disabling > it, which is the current situation. ---- disabling is a very reasonable solution for those unwilling to spend the time and energy necessary to understand how to maintain a system running SELinux. ---- > > Just to keep peace in the camp, I'd much druther fix the build system if > its possible. And the fixes will be published on the amanda-user and > amanda-hackers lists if they can be made to work. No one should be > forced to endure this constant harrassment by a tool that lies outright > to the end user. Because thats exactly what its doing when it blames it > on pam. ---- perhaps you need to demonstrate what is wrong with the build system and SELinux because as I see it, there are thousands of packages available for FC-6 and they seem to manage to live with SELinux. Craig