[lsb-discuss] LSB and SELinux

Theodore Tso tytso at mit.edu
Wed Nov 28 23:57:22 PST 2007


On Wed, Nov 28, 2007 at 02:11:56PM -0500, Robert Schweikert wrote:
> So here is an interesting question, I know we are trying to get 3.2 out the 
> door, but since I am investigating this right now it would be great to get 
> some opinions.
>
> Presumably an SELinux system (SELinux enabled) meeting all the interface 
> requirements in the LSB specification can be LSB certified. RHEL is an 
> example as I think SELinux is on by default, even if SELinux is not the 
> default and turned on by the user this shouldn't invalidate the 
> certification.
>
> The problem now is that we are trying to "guarantee" that an LSB certified 
> app will run on an LSB certified distribution. This is not true if the LSB 
> certified app needs text relocations and is run on an LSB distro with 
> SELinux on.

So I don't have very good network connectivity at the moment (cruise
ship in the middle of the Mediterranean, actually), so I can't really
google search on this ---- but what specifically do you mean by text
relocation that breaks in the presence of SELinux being enabled?  I'm
not aware of any such issue.

On the other hand, it has always been the case that if SELinux is
enabled in its full "enforcing" mode, that most application will break
until someone spends a huge amount of time trying to craft an SELinux
policy --- which most SELinux proponents will first try to deny is
difficult, and then when it is shown that configuring sendmail.cf
files are easier, will admit that well, they is some interesting work
in making meta-policy configuration tools to create SELinux policies,
but it's all a research problem right now.... to which the response
has been that most ISV's have an FAQ that can be easily given by Level
1 or Level 2 help desk personnel of the form, "Oh, you have SELinux
enabled?  Turn it off; our product doesn't support SELinux."

> Basically we have some "attribute" which is currently outside the LSB 
> preventing us to keep our promise.

Well, is it an "attribute" or a "configuration problem"?  I could also
easily see the default firewall configuration rules possibly breaking
some application which depending on being able to accept connections
on certain ports, for example.  

Is this different from any of the other configuration issues that
might hit a particular ISV, such as if one distro configures a certain
number of System V semaphores by default, and another distro
configures a different number?  Maybe the right approach is to
standardize ways in which ISV installers can configure the system
appropriately (e.g., an LSB interface to open up a particular hole in
the firewall, etc.).

> My first question now is whether or not my description is correct? Since I 
> don't know the spec in great detail there is certainly a chance that we say 
> something about TEXREL somewhere and what we expect to happen.

What do you mean by text relocations?  Do you mean some applicaiton
where some parts of the object file was compiled -fPIC?  As I said
earlier, this is the first time I've heard about any such thing
conflicting with SELinux.  Can you say more about what the problem is?
What is the impact of requiring ISV's to compile without text
relocations?

							- Ted



More information about the lsb-discuss mailing list