List Archive: gentoo-dev
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On 12/4/11 9:35 PM, Sven Vermeulen wrote:
> Within the Gentoo Hardened project, we are working on getting the SELinux
> support into shape. Recent evolutions are the stabilization of latest upstream
> userspace utilities and policies as well as documentation improvements and even
> some "human resource improvements" (read: fresh blood in our ranks).
This is excellent progress! Kudos for working on this.
> In Gentoo, unlike some other distributions, we try to keep the number of
> loaded/installed modules to a minimum so that policy rebuilds as well as the
> system overhead is limited. This results in a "base" policy (provided by
> selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make
> sure that installations of a package pull in the right SELinux module, the
> proper dependencies must be defined.
Are you sure this is right choice? It seems to me that it'd be better to
focus no making things work, and increasing the complexity of the deps
makes this harder (and increasing the number of packages you maintain
too). Unless you have _abundant_ resources to deal with that, I'd like
to discourage you from handling policies that way.
Furthermore, imagine I'm adding a new package "foo" that is covered by
the SELinux policy. Most developers don't use SELinux (hey, I suspect
most of them don't even use developer profile; bad, bad!). How do I know
whether it's sec-policy/selinux-foo that's not yet added or
sec-policy/selinux-games or something else... If the complete policy is
in one package, this should be obvious, and we don't even need deps for
> Since there are quite a few packages that would need updates, I thought about
> first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I
> also wouldn't mind creating bugreports for each of them, but that would still be
> best done after having mailed gentoo-dev ;-)
As said by other devs here, I also think it'd be more effective if you
just do the change yourself. USE="selinux" doesn't affect anything else
so it's safe.