![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gdtThere is good documentation on upgrading Fedora using yum on the Fedora project wiki. I tried this, and it crashed half way through when changing SELinux policy killed the ssh connection I was using to run yum. The resulting half-upgraded machine took about half a day to recover. It says a lot about the reobustness of Fedora that it was recoverable at all.
If you want to follow the wiki's directions I suggest the following additional steps:
Boot into single user mode with SELinux enforcement off. That is, with the parameters
enforcing=0 s.Run yum from the console.
After the upgrade I couldn't get sendmail to work with SMTP AUTH or with milters such as SpamAssassin or ClamAV. After a false start (sendmail is picky about file permissions) I tracked this down to a shortcoming in the SELinux policies which prevented sendmail from opening the Unix-domain sockets used to communiate with saslauthd and the milter daemons. Generating a fix to this was surpisingly easy.
grep mail /var/log/audit/audit.log | audit2allow -M local semodule -i local.pp
I reported the generated fix to the Red Hat Bugzilla. There's already a modified selinux-policy-targeted in Rawhide -- astonishingly fast work which made me feel guilty about the snarky comment I left in the bug report.
Overall the two experiences have made me feel a lot better about the quality of SELinux. It's simple to apply a fix for a less-than-perfect policy and the maintainer is incredibly responsive to bug reports. I also like that it works as advertised on the box: sendmail couldn't open those Unix-domain sockets, and the fix allows access just to the sockets needed, not some hack which undermines security by giving access to all Unix-domain sockets.
When I see an exploit for a bug I sometimes grep the network flow records to see how long it was around before being reported. One month seems pretty typical for my unscientific sample. So even having up-to-date software is insufficient protection. It's nice that SELinux provides an mechanism that doesn't rely on patches. It's going to be essential on Internet-facing servers within a few years.