Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: "PaweĊ‚ Hajdan, Jr." <phajdan.jr@g.o>
Subject: Re: We need *you* for a USE="selinux" dependency
Date: Mon, 05 Dec 2011 08:54:13 +0100
On 12/4/11 9:35 PM, Sven Vermeulen wrote:
> Within the Gentoo Hardened project, we are working on getting the SELinux
> support into shape. Recent evolutions are the stabilization of latest upstream
> userspace utilities and policies as well as documentation improvements and even
> some "human resource improvements" (read: fresh blood in our ranks).

This is excellent progress! Kudos for working on this.

> In Gentoo, unlike some other distributions, we try to keep the number of
> loaded/installed modules to a minimum so that policy rebuilds as well as the
> system overhead is limited. This results in a "base" policy (provided by
> selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make
> sure that installations of a package pull in the right SELinux module, the
> proper dependencies must be defined.

Are you sure this is right choice? It seems to me that it'd be better to
focus no making things work, and increasing the complexity of the deps
makes this harder (and increasing the number of packages you maintain
too). Unless you have _abundant_ resources to deal with that, I'd like
to discourage you from handling policies that way.

Furthermore, imagine I'm adding a new package "foo" that is covered by
the SELinux policy. Most developers don't use SELinux (hey, I suspect
most of them don't even use developer profile; bad, bad!). How do I know
whether it's sec-policy/selinux-foo that's not yet added or
sec-policy/selinux-games or something else... If the complete policy is
in one package, this should be obvious, and we don't even need deps for
that.

> Since there are quite a few packages that would need updates, I thought about
> first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I
> also wouldn't mind creating bugreports for each of them, but that would still be
> best done after having mailed gentoo-dev ;-)

As said by other devs here, I also think it'd be more effective if you
just do the change yourself. USE="selinux" doesn't affect anything else
so it's safe.

Attachment:
signature.asc (OpenPGP digital signature)
Replies:
Re: We need *you* for a USE="selinux" dependency
-- Sven Vermeulen
References:
We need *you* for a USE="selinux" dependency
-- Sven Vermeulen
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: We need *you* for a USE="selinux" dependency
Next by thread:
Re: We need *you* for a USE="selinux" dependency
Previous by date:
Re: We need *you* for a USE="selinux" dependency
Next by date:
Re: We need *you* for a USE="selinux" dependency


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.