1 |
On 02/12/2011 09:20 AM, Sven Vermeulen wrote: |
2 |
> Hi hardened-folks |
3 |
> |
4 |
> Gentoo Hardened aims to follow the Tresys reference policy closely for the |
5 |
> SELinux policy modules / packages and puts all non-base policies in the |
6 |
> sec-policy/selinux-* packages. We already had a few hints on |
7 |
> #gentoo-hardened about the naming conventions used for those packages. |
8 |
> |
9 |
> Naming conventions might seem silly to discuss, but they can make life |
10 |
> difficult in the future so it's better to tackle this before we go to a |
11 |
> stable set of SELinux policies. There are various options available, but let |
12 |
> me first give some information on the issue... |
13 |
> |
14 |
> ** Naming Collisions, Categories and More... |
15 |
> |
16 |
> Well, as you are probably all aware, Gentoo might have naming collisions |
17 |
> when one doesn't provide the category (think app-admin/analog versus |
18 |
> app-emacs/analog). For regular packages, we ask users to provide the category |
19 |
> as well. However, for SELinux policy packages, there's only a single category |
20 |
> currently (sec-policy/), so we might need to provide the necessary naming |
21 |
> conventions in the package names. |
22 |
> |
23 |
> However, another problem arises. Some reference policy modules provide |
24 |
> policies for multiple Gentoo packages (think admin/bootloader, which offers |
25 |
> policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy |
26 |
> package to the Gentoo package, what would the package be called then (in |
27 |
> this particular case, bootloader is part of the base policy so doesn't |
28 |
> require a separate sec-policy/ package). |
29 |
> |
30 |
> And if that isn't enough, Tresys reference policy also uses categories |
31 |
> (admin, apps, kernel, roles, services and system) so they too might have |
32 |
> naming collisions if one would ignore the category. However, once that |
33 |
> occurs, there will be other issues as well, because the reference policy |
34 |
> sources might have categories, but SELinux doesn't, so the module name |
35 |
> itself would require adjustments (cfr. "semodule -l" output). |
36 |
> |
37 |
> ** SELinux policy module naming convention |
38 |
> |
39 |
> So, how should we (Gentoo Hardened) name our SELinux packages to avoid above |
40 |
> collisions, but also to provide our developers with a consistent guideline |
41 |
> on how to call SELinux module packages? |
42 |
> |
43 |
> My suggestion would be to name the packages according to the refpolicy |
44 |
> module name (as it is the source of the package anyhow) without category. |
45 |
> Collisions are unlikely to occur in the near future because SELinux has no |
46 |
> support for categories. In other words, if a collision would occur, the |
47 |
> reference policy would rename their modules (or name the new module |
48 |
> differently) anyhow, so we can easily follow suit. |
49 |
> |
50 |
> I rather not follow Gentoo's package names. I know it might make it easier |
51 |
> to deduce which sec-policy/selinux-* packages need to be installed on a |
52 |
> system, but this is a temporary situation - in the long term, we want all |
53 |
> packages that have SELinux policies to have an optional (selinux) dependency |
54 |
> against their sec-policy/selinux-* package. The downside would be that we |
55 |
> need to either make duplicate packages for these tools that have policies |
56 |
> within the same module (think the bootloader case) or use a different naming |
57 |
> convention for those particular packages. |
58 |
> |
59 |
> So, what are your thoughts on this? |
60 |
> |
61 |
> Wkr, |
62 |
> Sven Vermeulen |
63 |
> |
64 |
|
65 |
Robbat2 brought the naming issue up and suggested the ${CAT}-${PN} |
66 |
scheme, but you make a good point about the mapping being many-to-many |
67 |
in general. |
68 |
|
69 |
If we agree to this standard, how to we grandfather in the packages that |
70 |
are already in sec-policy? Renaming packages is a pita and we should |
71 |
avoid it if we can. |
72 |
|
73 |
-- |
74 |
Anthony G. Basile, Ph.D. |
75 |
Gentoo Developer |