1 |
On 12/4/11 9:35 PM, Sven Vermeulen wrote: |
2 |
> Within the Gentoo Hardened project, we are working on getting the SELinux |
3 |
> support into shape. Recent evolutions are the stabilization of latest upstream |
4 |
> userspace utilities and policies as well as documentation improvements and even |
5 |
> some "human resource improvements" (read: fresh blood in our ranks). |
6 |
|
7 |
This is excellent progress! Kudos for working on this. |
8 |
|
9 |
> In Gentoo, unlike some other distributions, we try to keep the number of |
10 |
> loaded/installed modules to a minimum so that policy rebuilds as well as the |
11 |
> system overhead is limited. This results in a "base" policy (provided by |
12 |
> selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make |
13 |
> sure that installations of a package pull in the right SELinux module, the |
14 |
> proper dependencies must be defined. |
15 |
|
16 |
Are you sure this is right choice? It seems to me that it'd be better to |
17 |
focus no making things work, and increasing the complexity of the deps |
18 |
makes this harder (and increasing the number of packages you maintain |
19 |
too). Unless you have _abundant_ resources to deal with that, I'd like |
20 |
to discourage you from handling policies that way. |
21 |
|
22 |
Furthermore, imagine I'm adding a new package "foo" that is covered by |
23 |
the SELinux policy. Most developers don't use SELinux (hey, I suspect |
24 |
most of them don't even use developer profile; bad, bad!). How do I know |
25 |
whether it's sec-policy/selinux-foo that's not yet added or |
26 |
sec-policy/selinux-games or something else... If the complete policy is |
27 |
in one package, this should be obvious, and we don't even need deps for |
28 |
that. |
29 |
|
30 |
> Since there are quite a few packages that would need updates, I thought about |
31 |
> first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I |
32 |
> also wouldn't mind creating bugreports for each of them, but that would still be |
33 |
> best done after having mailed gentoo-dev ;-) |
34 |
|
35 |
As said by other devs here, I also think it'd be more effective if you |
36 |
just do the change yourself. USE="selinux" doesn't affect anything else |
37 |
so it's safe. |