Hi,
On 05. 09. 21 15:29, Sam Varshavchik wrote:
Vitaly Zaitsev via devel writes:
On 05/09/2021 14:52, Sam Varshavchik wrote:
if only a great, overwhelming majority of Fedora package maintainers
were able to write policies for their own packages and maintain it
themselves because SELinux documentation was ample and easy to fllow
https://pagure.io/packaging-committee/issue/726
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Which parts of the above describe, and explain, how to write the
SELinux policy itself? Once it's written that's a great piece of
documentation to follow, to explain how to package this policy. But
this is putting the cart before the horse. The package maintainers
have to actually understand how to write SELinux policies, first.
Yes, this is a valid point and we should definitely do something about
it. There is quite a few sources and tools (arguably often not properly
publicly documented) a policy developer can use. But we could use a
single go-to place, that would get a new policy writer/maintainer started.
SELinux notebook - https://github.com/SELinuxProject/selinux-notebook/ -
something like the "Maximum RPM" you mentioned
SELinux Project wiki - http://selinuxproject.org/page/Main_Page
Tools:
* sepolicy-generate - generates an initial SELinux policy module template
* audit2allow - generates policy rules, or even interface calls covering
given AVC messages
* macro-expander - expands given macro/interface call into a list of
policy rules -
https://lukas-vrabec.com/index.php/2019/02/03/new-trick-macro-expander/
Again, I realize these can be hard to find/understand, which is why I
appreciate this feedback and I'll do my best to act on it (we already
discussed this within SELinux team and came up with some action items).
The packaging guidelines draft referenced above is based on
https://fedoraproject.org/wiki/SELinux/IndependentPolicy. This guideline
is part of Decentralized SELinux Policy project, designed to help
developers "adopt" a policy their package is using. As was already
discussed in this thread, a few packages are already part of this
project and more are on the way.
Sincerely,
Vit
The problem isn't the technical details of how to package an SELinux
policy with the packge.
The problem is the domain knowledge needed to write that SELinux
policy in the first place. It's siloed mostly in the selinux package
itself. I assert that the documentation above is not going to be
useful to 95% of the package maintainers. A few of them will know how
to write a policy, and then follow the above wiki. The rest will not.
Prove me wrong.
I posted this link before:
https://raw.githubusercontent.com/svarshavchik/libcxx/master/packaging/fedora/libcxx.te
Where is the documentation that explains /all/ of the above, and what
it means? I wrote that policy, of course, but even now, just a short
time later, I can't for the life of me tell you where all that
documentation is. Because there isn't, I had to figure out based on
scraps of other selinux policies that I looked at, and based on my
experience with other stuff that did NOT involve SELinux.
You will not find any documentation that explains /all/ of that on
https://selinuxproject.org
And at most 5% of the above is explained in
https://selinuxproject.org/page/RefpolicyWriteModule
And until the state of the world is such that SELinux is not a siloed
domain, that it's amply documented, and package maintainers have
documentation that they can use to write their own policy, for the
package that they fully understand and support, SELinux will continue
to break random stuff, over and over again.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
