Gentoo Archives: gentoo-dev

From: "PaweĊ‚ Hajdan
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] We need *you* for a USE="selinux" dependency
Date: Mon, 05 Dec 2011 07:55:45
In Reply to: [gentoo-dev] We need *you* for a USE="selinux" dependency by Sven Vermeulen
1 On 12/4/11 9:35 PM, Sven Vermeulen wrote:
2 > Within the Gentoo Hardened project, we are working on getting the SELinux
3 > support into shape. Recent evolutions are the stabilization of latest upstream
4 > userspace utilities and policies as well as documentation improvements and even
5 > some "human resource improvements" (read: fresh blood in our ranks).
7 This is excellent progress! Kudos for working on this.
9 > In Gentoo, unlike some other distributions, we try to keep the number of
10 > loaded/installed modules to a minimum so that policy rebuilds as well as the
11 > system overhead is limited. This results in a "base" policy (provided by
12 > selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make
13 > sure that installations of a package pull in the right SELinux module, the
14 > proper dependencies must be defined.
16 Are you sure this is right choice? It seems to me that it'd be better to
17 focus no making things work, and increasing the complexity of the deps
18 makes this harder (and increasing the number of packages you maintain
19 too). Unless you have _abundant_ resources to deal with that, I'd like
20 to discourage you from handling policies that way.
22 Furthermore, imagine I'm adding a new package "foo" that is covered by
23 the SELinux policy. Most developers don't use SELinux (hey, I suspect
24 most of them don't even use developer profile; bad, bad!). How do I know
25 whether it's sec-policy/selinux-foo that's not yet added or
26 sec-policy/selinux-games or something else... If the complete policy is
27 in one package, this should be obvious, and we don't even need deps for
28 that.
30 > Since there are quite a few packages that would need updates, I thought about
31 > first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I
32 > also wouldn't mind creating bugreports for each of them, but that would still be
33 > best done after having mailed gentoo-dev ;-)
35 As said by other devs here, I also think it'd be more effective if you
36 just do the change yourself. USE="selinux" doesn't affect anything else
37 so it's safe.


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-dev] We need *you* for a USE="selinux" dependency Sven Vermeulen <swift@g.o>