Hi,
Plans for refpolicy.
I have been looking at what the tresys folks have done in
Ubuntu. They have the unconfined module in it's own package; and the
rest of the policy in others (they also have pulled out just cups
policy into a package by itself, but I have figured out why cups was
selected for special treatment).
Unfortunately, I do not think they have offered a transition
path. Here is a tentative plan:
1. Create a package that has all packages that belong in Debian
standard distribution. All the modules in this package are in the
base.pp module. Make this package compile base module, but not load
it. This is the common/base/standard package.
2. Create a package that just has the unconfined module. Make this
package compile the unconfined module on installation, but not load
it. This package depends on the package created in step one.
3. Create a package that has the rest of the policy modules. This
package also depends on the package created in step one. In the long
term, when we create the preinst hook in dpkg, which should be fed
the name of all the packages which dpkg is going to install, then we
compile the corresponding modules, and we load them.
In the short term, we can create a script that, when run:
a) look at the installed packages, and compile policy modules that
corresponds to installed packages. Only non-base modules are
looked for, of course.
b) Given a list of package or policy module names, adds that to the
list of packages installed, and loads the policy modules
corresponding to the package/module names passed in on the
command line.
Call this script from the postinst, and let the user call it at
will. make any user interactions in this script happen via
debconf. This script can then eventually be called from the preinst
hook.
manoj
--
The older a man gets, the farther he had to walk to school as a boy.
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
