Steven Smalley asked me to open this ticket.
-- Forwarded Message -------- From: Mike McGrath mmcgrath@redhat.com To: Stephen Smalley sds@tycho.nsa.gov Cc: James Morris jmorris@namei.org, Daniel J Walsh dwalsh@redhat.com Subject: Re: [Fwd: Re: SELinux smolt stats] Date: Fri, 23 May 2008 09:31:32 -0500 (CDT)
On Fri, 23 May 2008, Stephen Smalley wrote:
On Fri, 2008-03-21 at 16:37 -0400, Stephen Smalley wrote: On Fri, 2008-03-21 at 15:26 -0500, Mike McGrath wrote: On Fri, 21 Mar 2008, Stephen Smalley wrote: So are we entirely dependent on a student to fix smolt stats? I'm not asking for a new custom reporting capability, just making the existing selinux stats page accurate and meaningful, excluding pre-Fedora 8 systems due to lack of data (Fedora 7 and earlier) or wrong data (Fedora 8 test2, at least, had reversed enabled/disabled values). It would be better to have no selinux stats page up than to have one that is wrong and misleading. I'm not a developer and have less and less time to work with smolt. The patch you're interested in should be very easy to submit. For example, you could grab a list based off of profiles updated within the last 3 months sqlalchemy is simple. I'll get to this patch eventually but I've got a good 6 months of backlog for what I actually get paid to do with things in Fedora so smolt is going to rely on the community, if you want to be a part of that community please stop by #smolt on irc.freenode.net. Its remarkably easy to get commit access. If smolt fails because there is no community, then it'll fail. I'm hoping it won't though. Sorry I don't have better news. That's ok - at least now we know what needs to be done to help things along. Previously I just assumed that someone was already working the problem. So I took a peek through the smolt sources, but didn't see what one would modify to actually clean up what gets reported on smolts.org. The client-side code looks fine in terms of what is now being collected. I don't really see how to easily alter the server side reporting, and actually I think we just need to update the database itself to replace selinux info for pre-F8 systems with Unknown for all categories (enabled, enforce, and policy) so that they show up as such in the stats.
On Fri, 2008-03-21 at 16:37 -0400, Stephen Smalley wrote:
On Fri, 2008-03-21 at 15:26 -0500, Mike McGrath wrote: On Fri, 21 Mar 2008, Stephen Smalley wrote: So are we entirely dependent on a student to fix smolt stats? I'm not asking for a new custom reporting capability, just making the existing selinux stats page accurate and meaningful, excluding pre-Fedora 8 systems due to lack of data (Fedora 7 and earlier) or wrong data (Fedora 8 test2, at least, had reversed enabled/disabled values). It would be better to have no selinux stats page up than to have one that is wrong and misleading. I'm not a developer and have less and less time to work with smolt. The patch you're interested in should be very easy to submit. For example, you could grab a list based off of profiles updated within the last 3 months sqlalchemy is simple. I'll get to this patch eventually but I've got a good 6 months of backlog for what I actually get paid to do with things in Fedora so smolt is going to rely on the community, if you want to be a part of that community please stop by #smolt on irc.freenode.net. Its remarkably easy to get commit access. If smolt fails because there is no community, then it'll fail. I'm hoping it won't though. Sorry I don't have better news. That's ok - at least now we know what needs to be done to help things along. Previously I just assumed that someone was already working the problem.
On Fri, 2008-03-21 at 15:26 -0500, Mike McGrath wrote:
On Fri, 21 Mar 2008, Stephen Smalley wrote: So are we entirely dependent on a student to fix smolt stats? I'm not asking for a new custom reporting capability, just making the existing selinux stats page accurate and meaningful, excluding pre-Fedora 8 systems due to lack of data (Fedora 7 and earlier) or wrong data (Fedora 8 test2, at least, had reversed enabled/disabled values). It would be better to have no selinux stats page up than to have one that is wrong and misleading. I'm not a developer and have less and less time to work with smolt. The patch you're interested in should be very easy to submit. For example, you could grab a list based off of profiles updated within the last 3 months sqlalchemy is simple. I'll get to this patch eventually but I've got a good 6 months of backlog for what I actually get paid to do with things in Fedora so smolt is going to rely on the community, if you want to be a part of that community please stop by #smolt on irc.freenode.net. Its remarkably easy to get commit access. If smolt fails because there is no community, then it'll fail. I'm hoping it won't though. Sorry I don't have better news.
On Fri, 21 Mar 2008, Stephen Smalley wrote:
So are we entirely dependent on a student to fix smolt stats? I'm not asking for a new custom reporting capability, just making the existing selinux stats page accurate and meaningful, excluding pre-Fedora 8 systems due to lack of data (Fedora 7 and earlier) or wrong data (Fedora 8 test2, at least, had reversed enabled/disabled values). It would be better to have no selinux stats page up than to have one that is wrong and misleading.
So are we entirely dependent on a student to fix smolt stats? I'm not asking for a new custom reporting capability, just making the existing selinux stats page accurate and meaningful, excluding pre-Fedora 8 systems due to lack of data (Fedora 7 and earlier) or wrong data (Fedora 8 test2, at least, had reversed enabled/disabled values).
It would be better to have no selinux stats page up than to have one that is wrong and misleading.
I'm not a developer and have less and less time to work with smolt. The patch you're interested in should be very easy to submit. For example, you could grab a list based off of profiles updated within the last 3 months sqlalchemy is simple. I'll get to this patch eventually but I've got a good 6 months of backlog for what I actually get paid to do with things in Fedora so smolt is going to rely on the community, if you want to be a part of that community please stop by #smolt on irc.freenode.net. Its remarkably easy to get commit access. If smolt fails because there is no community, then it'll fail. I'm hoping it won't though. Sorry I don't have better news.
That's ok - at least now we know what needs to be done to help things along. Previously I just assumed that someone was already working the problem.
So I took a peek through the smolt sources, but didn't see what one would modify to actually clean up what gets reported on smolts.org. The client-side code looks fine in terms of what is now being collected. I don't really see how to easily alter the server side reporting, and actually I think we just need to update the database itself to replace selinux info for pre-F8 systems with Unknown for all categories (enabled, enforce, and policy) so that they show up as such in the stats.
The easiest thing is to alter the queries so its only selecting the most recently updated hosts. For example, the last 3 or 4 months.
I'm also unclear as to what to make of the current percentages and numbers on smolts.org. I see that the SELinux Enabled percentage is rising as expected as we get more systems actually reporting their status and with F9 released, and it totals up correctly to match the total registered hosts. The SELinux Enforce percentage and raw numbers though don't seem to match up at all with the number of enabled (I'd expect Enforcing + Permissive to roughly equal Enabled and all of the fields to total up to the total number of hosts), and there are still invalid values there (anything other than Enforcing, Permissive, Disabled, or Not Installed reflects the earlier buggy client-side code and should just be excluded). The SELinux Policy information is a little better; it at least adds up closer to the Enabled, although it also has some invalid values. Any thoughts on what we can do to fix this up? As I said above, just updating the database for all pre-F8-GA systems to use Unknown for all categories of selinux seems the cleanest, and possibly doing likewise for any of the invalid values. Then nothing needs to change in terms of the code.
I'm also unclear as to what to make of the current percentages and numbers on smolts.org. I see that the SELinux Enabled percentage is rising as expected as we get more systems actually reporting their status and with F9 released, and it totals up correctly to match the total registered hosts. The SELinux Enforce percentage and raw numbers though don't seem to match up at all with the number of enabled (I'd expect Enforcing + Permissive to roughly equal Enabled and all of the fields to total up to the total number of hosts), and there are still invalid values there (anything other than Enforcing, Permissive, Disabled, or Not Installed reflects the earlier buggy client-side code and should just be excluded). The SELinux Policy information is a little better; it at least adds up closer to the Enabled, although it also has some invalid values.
Any thoughts on what we can do to fix this up? As I said above, just updating the database for all pre-F8-GA systems to use Unknown for all categories of selinux seems the cleanest, and possibly doing likewise for any of the invalid values. Then nothing needs to change in terms of the code.
I can do this, right now I'm in the middle of a major project (to finish on Tuesday) please open up a ticket - https://fedorahosted.org/fedora-infrastructure/ and we'll see to it the database pre-F8 gets set to unknown.
-Mike
This is done as part of the "last 90 days" checkin type work on smolts.org now.
Login to comment on this ticket.