| 1 |
On Sun, Jul 12, 2015 at 04:46:03PM -0700, S. Lockwood-Childs wrote: |
| 2 |
> I'd appreciate feedback on a blog-style article[1] talking about |
| 3 |
> how CIL is going to improve SELinux policy maintenance, and in |
| 4 |
> particular, the last section where I try to point out how good Gentoo |
| 5 |
> is for experimenting with SELinux technologies. The article is |
| 6 |
> maintained as an rst file in github[2], so corrections/additions |
| 7 |
> could be submitted as a pull request if desired (though plain old |
| 8 |
> mailing list replies are equally welcome). |
| 9 |
> |
| 10 |
> [1] http://vctlabs.com/posts/2015/Jul/12/selinux_cil/ |
| 11 |
> [2] https://github.com/VCTLabs/vct-web/blob/master/content/articles/selinux_cil.rst |
| 12 |
|
| 13 |
Hi, |
| 14 |
|
| 15 |
Overall a good article. One thing which I would also point out together |
| 16 |
with the move to CIL is that there is now no "base" module. In the 2.3 |
| 17 |
and earlier userlands, all the important things were in "base.pp" and |
| 18 |
then other things were added separately as modules. One of the reasons |
| 19 |
why modifying ports works in the 2.4 userland is that there is no more |
| 20 |
base, it is treated just like any other module now so the limitations of |
| 21 |
eg ports must be in base no longer apply. |
| 22 |
|
| 23 |
Secondly, related to "poor support for preserving local changes across |
| 24 |
system updates". The tools now have the concept of priority so users can |
| 25 |
easy completely replace a distro-provided module at a higher priority |
| 26 |
(semodule -X 900 -i foo.pp). I haven't (yet) updated our selinux eclass |
| 27 |
to install at a lower priority but will hopefully do that soon. |
| 28 |
|
| 29 |
Not sure if you are aware of it, but there is also a project to write a |
| 30 |
direct refpol -> cil compiler without going via .pp[1]. It looks like it |
| 31 |
has stagnated for a while but it will hopefully make the generated cil |
| 32 |
files a little less ugly than they currently are. |
| 33 |
[1]: https://bitbucket.org/jwcarter/fpp.git |
| 34 |
|
| 35 |
-- Jason |
Archives