On 12/4/11 9:35 PM, Sven Vermeulen wrote: > Within the Gentoo Hardened project, we are working on getting the SELinux > support into shape. Recent evolutions are the stabilization of latest upstream > userspace utilities and policies as well as documentation improvements and > even > some "human resource improvements" (read: fresh blood in our ranks).
This is excellent progress! Kudos for working on this. > In Gentoo, unlike some other distributions, we try to keep the number of > loaded/installed modules to a minimum so that policy rebuilds as well as the > system overhead is limited. This results in a "base" policy (provided by > selinux-base-policy) and modules (provided by > sec-policy/selinux-<modulename>). To make > sure that installations of a package pull in the right SELinux module, the > proper dependencies must be defined. Are you sure this is right choice? It seems to me that it'd be better to focus no making things work, and increasing the complexity of the deps makes this harder (and increasing the number of packages you maintain too). Unless you have _abundant_ resources to deal with that, I'd like to discourage you from handling policies that way. Furthermore, imagine I'm adding a new package "foo" that is covered by the SELinux policy. Most developers don't use SELinux (hey, I suspect most of them don't even use developer profile; bad, bad!). How do I know whether it's sec-policy/selinux-foo that's not yet added or sec-policy/selinux-games or something else... If the complete policy is in one package, this should be obvious, and we don't even need deps for that. > Since there are quite a few packages that would need updates, I thought about > first mailing gentoo-dev for feedback and perhaps a first chunk of work done. > I > also wouldn't mind creating bugreports for each of them, but that would still > be > best done after having mailed gentoo-dev ;-) As said by other devs here, I also think it'd be more effective if you just do the change yourself. USE="selinux" doesn't affect anything else so it's safe.
signature.asc
Description: OpenPGP digital signature
