Gentoo Archives: gentoo-dev

From: Sven Vermeulen <swift@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] We need *you* for a USE="selinux" dependency
Date: Mon, 05 Dec 2011 20:43:53
Message-Id: 20111205204241.GA29054@gentoo.org
In Reply to: Re: [gentoo-dev] We need *you* for a USE="selinux" dependency by "Paweł Hajdan
On Mon, Dec 05, 2011 at 08:54:13AM +0100, "Paweł Hajdan, Jr." wrote:
> > In Gentoo, unlike some other distributions, we try to keep the number of > > loaded/installed modules to a minimum so that policy rebuilds as well as the > > system overhead is limited. This results in a "base" policy (provided by > > selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make > > sure that installations of a package pull in the right SELinux module, the > > proper dependencies must be defined. > > Are you sure this is right choice? It seems to me that it'd be better to > focus no making things work, and increasing the complexity of the deps > makes this harder (and increasing the number of packages you maintain > too). Unless you have _abundant_ resources to deal with that, I'd like > to discourage you from handling policies that way.
For end users, this is much more enjoyable. If we load up all policies, then any interaction with the SELinux policies will take some time. Also, all policies in memory do take up some space. Finally, for development purposes, this is very much enjoyable as well, since it allows for much faster policy development (rebuild policies in seconds to minutes rather than dozen of minutes). Maintenance is actually pretty easy. The eclass we use provides us with a very easy interface to add modules, and because it is a module per ebuild, we can push changes on individual modules without pushing full policy builds again.
> Furthermore, imagine I'm adding a new package "foo" that is covered by > the SELinux policy. Most developers don't use SELinux (hey, I suspect > most of them don't even use developer profile; bad, bad!). How do I know > whether it's sec-policy/selinux-foo that's not yet added or > sec-policy/selinux-games or something else... If the complete policy is > in one package, this should be obvious, and we don't even need deps for > that.
I know. This is one major hurdle that we need to take on. Using dependencies is the "easiest" approach, albeit the most resource intensive one (initially, that is). I don't mind having the dependencies added as we go. For our end users, we already documented that missing modules are to be expected and how to resolve it.
> As said by other devs here, I also think it'd be more effective if you > just do the change yourself. USE="selinux" doesn't affect anything else > so it's safe.
Ok, no problem. I'll check on IRC regardless, if not just to give a "heads up" on changes. Also, my apologies for not sorting the list. Careful readers will notice it is sorted, but by the package name, not category :/ Thanks you all for the feedback! Wkr, Sven Vermeulen

Replies