LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

November 2013

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL November 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Low: selinux-policy enhancement update on SL6.x i386/x86_64
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Mon, 4 Nov 2013 20:59:34 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

I'd like to humbly express my disapproval of habitually placing each and every SELinux policy "enhancement" in the security tree. These updates are rather expensive in terms of system resources, likely to aid a very very small percentage of SL users only (who could just as well get them from fastbugs if they're even aware of an issue addressed), and have a significant potential of breaking things for all the others.

And there's at least one clear mistake in the change note, and two places making me wonder whether they're correct, and all three paragraphs fail to make it clear to me what actual problem is solved by deploying this update. None of this makes me quite confident in the QA process this change went through. Which is why I'd much rather deploy it only in the course of a minor release update, or if there'd be a security flaw fixed, or if I knew it fixes a bug actually biting me.

Am I the only one feeling that way?

	Stephan

On Nov 4, 2013, at 20:13 , Pat Riehecky wrote:

> Synopsis: Low: selinux-policy enhancement update
> Issue date: 2013-11-04
> 
> This update adds the following enhancements:
> 
> * Previously, the pacemaker resource manager did not have its own policy
> defined and started in the initrc_t domain. With this update, the wrong
> context has been fixed and proper permissions have been set for pacemaker,
> thus fixing the bug.
> 
> * Previously, the SELinux policy prevented running virtual machines based
> on volumes under the VDSM's deamon directory, /var/run/vdsm/storage/. As a
> consequence, trying to a run virtual machine with these settings resulted
> in an error. This update fixes the ability of the svirt_t SELinux process
> domain to read symbolic links in the /var/run/ directory, and now virtual
> machines based on volumes can be used under the VDSM's daemon directory.
> 
> * Previously, due to SELinux permission errors, trying to run a QEMU
> process using the libvirt library resulted in and error and the process
> being terminated. This bug has now been fixed, and QEMU processes start
> and run successfully in this scenario.
> 
> This update has been placed in the security tree to avoid selinux
> related problems.
> 
> 
> SL6.x
> 
> SRPMS:
>    selinux-policy-3.7.19-195.el6_4.18.src.rpm
> 
> i386:
>    selinux-policy-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-targeted-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-doc-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-minimum-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-mls-3.7.19-195.el6_4.18.noarch.rpm
> 
> x86_64:
>    selinux-policy-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-targeted-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-doc-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-minimum-3.7.19-195.el6_4.18.noarch.rpm
>    selinux-policy-mls-3.7.19-195.el6_4.18.noarch.rpm

-- 
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV