[lsb-discuss] LSB and SELinux
Robert Schweikert
robert.schweikert at mathworks.com
Thu Nov 29 05:40:04 PST 2007
<snip>
>
> So I don't have very good network connectivity at the moment (cruise
> ship in the middle of the Mediterranean, actually),
I'll trade a crappy network for a cruise -:)
> so I can't really
> google search on this ---- but what specifically do you mean by text
> relocation that breaks in the presence of SELinux being enabled? I'm
> not aware of any such issue.
>
This is the -fpic issue
(http://people.redhat.com/drepper/textrelocs.html) and goes back to not
necessarily being in control of all the binaries. While we can certainly
request vendors to fix their build it does take time. Still people may
not necessarily be aware of this and might build applications with this
problem. These apps can then still be certified but will not run on an
SELinux system without fiddling with the rules.
Perhaps appchk should complain about TEXREL. While this is outside the
LSB, it would sure go a long way in being pro active and making a bet
effort to keep our promise.
<snip>
> the response
> has been that most ISV's have an FAQ that can be easily given by Level
> 1 or Level 2 help desk personnel of the form, "Oh, you have SELinux
> enabled? Turn it off; our product doesn't support SELinux."
>
That is our response too, but we have enough customers complaining that
we will try to address the issues w.r.t. SELinux in some way shape or
form, hopefully without having to provide SELinux rules for our customers.
>> Basically we have some "attribute" which is currently outside the LSB
>> preventing us to keep our promise.
>>
>
> Well, is it an "attribute" or a "configuration problem"?
I guess its both. TEXREL is an attribute in ELF and that SELinux
complains when a binary has this is a configuration issue.
> I could also
> easily see the default firewall configuration rules possibly breaking
> some application which depending on being able to accept connections
> on certain ports, for example.
>
While the symptom may be the same, i.e. the app will not run, I would
not lump the problem between firewall settings and SELinux into the same
bucket. The reason for this is basically awareness. Firewalls and
network security are issues that many people consider and app vendors
needing special ports have certainly learned how to address these
issues. The thought that turning on SELinux will "break" applications is
probably not something that people immediately connect.
> Is this different from any of the other configuration issues that
> might hit a particular ISV, such as if one distro configures a certain
> number of System V semaphores by default, and another distro
> configures a different number? Maybe the right approach is to
> standardize ways in which ISV installers can configure the system
> appropriately (e.g., an LSB interface to open up a particular hole in
> the firewall, etc.).
>
That would certainly be a good approach. On the other hand I can already
hear the yelling, "there is no way we as an organization will let an app
monkey with our firewall rules". This might turn out to be a
controversial topic.
<snip>
> What do you mean by text relocations? Do you mean some applicaiton
> where some parts of the object file was compiled -fPIC?
Yes, see above. People do not necessarily have control over all the
binaries being shipped.
> As I said
> earlier, this is the first time I've heard about any such thing
> conflicting with SELinux. Can you say more about what the problem is?
> What is the impact of requiring ISV's to compile without text
> relocations?
>
I think this is mostly a timing and awareness issue. While Ulrich
Drepper certainly explains the issues well in the DSO How-To and
http://people.redhat.com/drepper/textrelocs.html I am not sure there is
sufficient awareness of this issue such that no surprises arise when
SELinux is enabled.
Robert
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
(robert.schweikert at mathworks.com) LINUX
The MathWorks Inc.
Phone : 508-647-2042
More information about the lsb-discuss
mailing list