I appreciate Fedora using SELinux a lot, but I’m no expert in finetuning SELinux for own needs. I mostly rely on the default settings for the software coming from the offical Fedora repo.
What are the security implications (from the perspective of SELinux settings) of building the newest version of a program, that was previously installed through the repo, myself as opposed to waiting for the offical release? More concretely, I consider doing this with Emacs, i.e. I have Emacs 28.2 installed from the repo, but consider building Emacs 29.1 (that was released today) myself.
a) Am I correct to think that if I replace the old installation, the current SELinux policy will apply to the new build?
b) Are the SELinux policies fragile enough that they need to be modified for each version of a given program? Big change in Emacs 29.1 is the native support for Wayland, I believe.
User programs, in general, runs unconstrained, so they don’t really have any specific SELinux rules defined. So the only constrains for these programs is the standard unix permission settings, that is, user, group, and other permissions. I wouldn’t think any user would be happy if emacs could not edit any file found anywhere withint the user’s own home directory.
There are some administration programs which change SELinux context type and thereby will become more restricted and they otherwise would be when run with the
I see. I guess Emacs is one of those programs where extra SELinux limitation would be especially difficult, but I was somehow assuming that some of the more specialized user programs might get sume further restrictions from SELinux. Thanks for the reply!
Have you checked for emacs 29.1 in copr repos? majore-biscuit Emacs-29 mentions emacs-29.1 for Fedora 38, but the last several build attempts failed.
I haven’t, but thanks for pointing this out. I usually try to stick to the official repo or to build myself, for better security.
The security contexts are the same, whether the files or the programs/packages are installed from a repository or from your own local build.
When the available packages were missing a configuration option our use cases needed, I would get the
.spec files and tweak the configuration options. For the copr repos you can view logs for failed builds. Often the failures occur across other distros and you can find discussions of the issue causing FTBS. I have also found useful discussions of build issues at macports.org.
I see. But by “security” I just meant trusting unofficial repo as opposed to building from the source or using the official Fedora’s repo.