[lsb-discuss] LSB and SELinux

[Robert Schweikert]

<snip>
>
> So I don't have very good network connectivity at the moment (cruise
> ship in the middle of the Mediterranean, actually),
I'll trade a crappy network for a cruise -:)
>  so I can't really
> google search on this ---- but what specifically do you mean by text
> relocation that breaks in the presence of SELinux being enabled?  I'm
> not aware of any such issue.
>   
This is the -fpic issue 
(http://people.redhat.com/drepper/textrelocs.html) and goes back to not 
necessarily being in control of all the binaries. While we can certainly 
request vendors to fix their build it does take time. Still people may 
not necessarily be aware of this and might build applications with this 
problem. These apps can then still be certified but will not run on an 
SELinux system without fiddling with the rules.

Perhaps appchk should complain about TEXREL. While this is outside the 
LSB, it would sure go a long way in being pro active and making a bet 
effort to keep our promise.

<snip>
>  the response
> has been that most ISV's have an FAQ that can be easily given by Level
> 1 or Level 2 help desk personnel of the form, "Oh, you have SELinux
> enabled?  Turn it off; our product doesn't support SELinux."
>   
That is our response too, but we have enough customers complaining that 
we will try to address the issues w.r.t. SELinux in some way shape or 
form, hopefully without having to provide SELinux rules for our customers.
>> Basically we have some "attribute" which is currently outside the LSB 
>> preventing us to keep our promise.
>>     
>
> Well, is it an "attribute" or a "configuration problem"? 
I guess its both. TEXREL is an attribute in ELF and that SELinux 
complains when a binary has this is a configuration issue.
>  I could also
> easily see the default firewall configuration rules possibly breaking
> some application which depending on being able to accept connections
> on certain ports, for example.  
>   
While the symptom may be the same, i.e. the app will not run, I would 
not lump the problem between firewall settings and SELinux into the same 
bucket. The reason for this is basically awareness. Firewalls and 
network security are issues that many people consider and app vendors 
needing special ports have certainly learned how to address these 
issues. The thought that turning on SELinux will "break" applications is 
probably not something that people immediately connect.
> Is this different from any of the other configuration issues that
> might hit a particular ISV, such as if one distro configures a certain
> number of System V semaphores by default, and another distro
> configures a different number?  Maybe the right approach is to
> standardize ways in which ISV installers can configure the system
> appropriately (e.g., an LSB interface to open up a particular hole in
> the firewall, etc.).
>   
That would certainly be a good approach. On the other hand I can already 
hear the yelling, "there is no way we as an organization will let an app 
monkey with our firewall rules". This might turn out to be a 
controversial topic.

<snip>
> What do you mean by text relocations?  Do you mean some applicaiton
> where some parts of the object file was compiled -fPIC? 
Yes, see above. People do not necessarily have control over all the 
binaries being shipped.
>  As I said
> earlier, this is the first time I've heard about any such thing
> conflicting with SELinux.  Can you say more about what the problem is?
> What is the impact of requiring ISV's to compile without text
> relocations?
>   
I think this is mostly a timing and awareness issue. While Ulrich 
Drepper certainly explains the issues well in the DSO How-To and 
http://people.redhat.com/drepper/textrelocs.html I am not sure there is 
sufficient awareness of this issue such that no surprises arise when 
SELinux is enabled.

Robert

-- 
Robert Schweikert                       MAY THE SOURCE BE WITH YOU
(robert.schweikert at mathworks.com)                 LINUX
The MathWorks Inc.
Phone : 508-647-2042