Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Sven Vermeulen <swift@g.o>
Subject: Re: We need *you* for a USE="selinux" dependency
Date: Mon, 5 Dec 2011 20:42:41 +0000
On Mon, Dec 05, 2011 at 08:54:13AM +0100, "Paweł Hajdan, Jr." wrote:
> > In Gentoo, unlike some other distributions, we try to keep the number of
> > loaded/installed modules to a minimum so that policy rebuilds as well as the
> > system overhead is limited. This results in a "base" policy (provided by
> > selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make
> > sure that installations of a package pull in the right SELinux module, the
> > proper dependencies must be defined.
> 
> Are you sure this is right choice? It seems to me that it'd be better to
> focus no making things work, and increasing the complexity of the deps
> makes this harder (and increasing the number of packages you maintain
> too). Unless you have _abundant_ resources to deal with that, I'd like
> to discourage you from handling policies that way.

For end users, this is much more enjoyable. If we load up all policies, then
any interaction with the SELinux policies will take some time. Also, all
policies in memory do take up some space. Finally, for development purposes,
this is very much enjoyable as well, since it allows for much faster policy
development (rebuild policies in seconds to minutes rather than dozen of
minutes).

Maintenance is actually pretty easy. The eclass we use provides us with a
very easy interface to add modules, and because it is a module per ebuild,
we can push changes on individual modules without pushing full policy builds
again.

> Furthermore, imagine I'm adding a new package "foo" that is covered by
> the SELinux policy. Most developers don't use SELinux (hey, I suspect
> most of them don't even use developer profile; bad, bad!). How do I know
> whether it's sec-policy/selinux-foo that's not yet added or
> sec-policy/selinux-games or something else... If the complete policy is
> in one package, this should be obvious, and we don't even need deps for
> that.

I know. This is one major hurdle that we need to take on. Using dependencies
is the "easiest" approach, albeit the most resource intensive one
(initially, that is). I don't mind having the dependencies added as we go.
For our end users, we already documented that missing modules are to be
expected and how to resolve it.

> As said by other devs here, I also think it'd be more effective if you
> just do the change yourself. USE="selinux" doesn't affect anything else
> so it's safe.

Ok, no problem. I'll check on IRC regardless, if not just to give a "heads
up" on changes.

Also, my apologies for not sorting the list. Careful readers will notice it
is sorted, but by the package name, not category :/ 

Thanks you all for the feedback!

Wkr,
	Sven Vermeulen


Replies:
Re: We need *you* for a USE="selinux" dependency
-- Paweł Hajdan, Jr.
References:
We need *you* for a USE="selinux" dependency
-- Sven Vermeulen
Re: We need *you* for a USE="selinux" dependency
-- Paweł Hajdan, Jr.
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: We need *you* for a USE="selinux" dependency
Next by thread:
Re: We need *you* for a USE="selinux" dependency
Previous by date:
Re: sources.gentoo.org instability
Next by date:
Re: So now that we have --quiet-build as default, can we talk about a forced LC_MESSAGES=C again?


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.