| 1 |
On Sep 11, 2012 4:51 PM, "Alex Brandt" <alunduil@××××××××.com> wrote: |
| 2 |
> I've been reading through your wonderful handbook, |
| 3 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=5 |
| 4 |
> |
| 5 |
> , about modifying the SELinux policy in Gentoo but was hoping you could |
| 6 |
provide a little more specific advice about the how to write SELinux |
| 7 |
policies for personal projects: |
| 8 |
> |
| 9 |
> |
| 10 |
> |
| 11 |
> * What's the best way to store this? With the project or as a separate |
| 12 |
code repository or as a contribution to upstream policies? |
| 13 |
|
| 14 |
Depends on the complexity. If you can manage the personal policies as |
| 15 |
additional files without patching the existing policies then I would use |
| 16 |
separate files. Recently you can keep those in the ebuilds if you want. |
| 17 |
|
| 18 |
If the patching of the existing policies is marginal, then I wouldn't |
| 19 |
recommend creating a separate repo as it is quite a time consuming activity. |
| 20 |
|
| 21 |
> * Is writing live ebuilds for selinux policies recommended or frowned |
| 22 |
upon? |
| 23 |
|
| 24 |
There are live ebuilds in the hardened dev overlay. They are definitely |
| 25 |
useful, but don't forget rebuilding occasionally... |
| 26 |
|
| 27 |
> * Where should my policy live in the long run? |
| 28 |
|
| 29 |
If they can benefit others please send thdm to us - bugzilla - or upstream. |
| 30 |
If you do it through us I will send it upstream eventually anyhow. |
| 31 |
|
| 32 |
> * Is there anything else that you can recommend for writing policies of |
| 33 |
this kind? |
| 34 |
|
| 35 |
Just start with it. And perhaps follow the discussions on the refpolicy |
| 36 |
mailinglist for coding style feedback. |
| 37 |
|
| 38 |
> Thanks for any advice or best practices you can share. |
| 39 |
> |
| 40 |
yw ;-) |
Archives