Gentoo Archives: gentoo-dev

From: "PaweĊ‚ Hajdan
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] We need *you* for a USE="selinux" dependency
Date: Mon, 05 Dec 2011 07:55:45
In Reply to: [gentoo-dev] We need *you* for a USE="selinux" dependency by Sven Vermeulen
On 12/4/11 9:35 PM, Sven Vermeulen wrote:
> Within the Gentoo Hardened project, we are working on getting the SELinux > support into shape. Recent evolutions are the stabilization of latest upstream > userspace utilities and policies as well as documentation improvements and even > some "human resource improvements" (read: fresh blood in our ranks).
This is excellent progress! Kudos for working on this.
> In Gentoo, unlike some other distributions, we try to keep the number of > loaded/installed modules to a minimum so that policy rebuilds as well as the > system overhead is limited. This results in a "base" policy (provided by > selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make > sure that installations of a package pull in the right SELinux module, the > proper dependencies must be defined.
Are you sure this is right choice? It seems to me that it'd be better to focus no making things work, and increasing the complexity of the deps makes this harder (and increasing the number of packages you maintain too). Unless you have _abundant_ resources to deal with that, I'd like to discourage you from handling policies that way. Furthermore, imagine I'm adding a new package "foo" that is covered by the SELinux policy. Most developers don't use SELinux (hey, I suspect most of them don't even use developer profile; bad, bad!). How do I know whether it's sec-policy/selinux-foo that's not yet added or sec-policy/selinux-games or something else... If the complete policy is in one package, this should be obvious, and we don't even need deps for that.
> Since there are quite a few packages that would need updates, I thought about > first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I > also wouldn't mind creating bugreports for each of them, but that would still be > best done after having mailed gentoo-dev ;-)
As said by other devs here, I also think it'd be more effective if you just do the change yourself. USE="selinux" doesn't affect anything else so it's safe.


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-dev] We need *you* for a USE="selinux" dependency Sven Vermeulen <swift@g.o>