On Mon, Dec 05, 2011 at 08:54:13AM +0100, "Paweł Hajdan, Jr." wrote:
> > In Gentoo, unlike some other distributions, we try to keep the number of
> > loaded/installed modules to a minimum so that policy rebuilds as well as the
> > system overhead is limited. This results in a "base" policy (provided by
> > selinux-base-policy) and modules (provided by
> > sec-policy/selinux-<modulename>). To make
> > sure that installations of a package pull in the right SELinux module, the
> > proper dependencies must be defined.
>
> Are you sure this is right choice? It seems to me that it'd be better to
> focus no making things work, and increasing the complexity of the deps
> makes this harder (and increasing the number of packages you maintain
> too). Unless you have _abundant_ resources to deal with that, I'd like
> to discourage you from handling policies that way.
For end users, this is much more enjoyable. If we load up all policies, then
any interaction with the SELinux policies will take some time. Also, all
policies in memory do take up some space. Finally, for development purposes,
this is very much enjoyable as well, since it allows for much faster policy
development (rebuild policies in seconds to minutes rather than dozen of
minutes).
Maintenance is actually pretty easy. The eclass we use provides us with a
very easy interface to add modules, and because it is a module per ebuild,
we can push changes on individual modules without pushing full policy builds
again.
> Furthermore, imagine I'm adding a new package "foo" that is covered by
> the SELinux policy. Most developers don't use SELinux (hey, I suspect
> most of them don't even use developer profile; bad, bad!). How do I know
> whether it's sec-policy/selinux-foo that's not yet added or
> sec-policy/selinux-games or something else... If the complete policy is
> in one package, this should be obvious, and we don't even need deps for
> that.
I know. This is one major hurdle that we need to take on. Using dependencies
is the "easiest" approach, albeit the most resource intensive one
(initially, that is). I don't mind having the dependencies added as we go.
For our end users, we already documented that missing modules are to be
expected and how to resolve it.
> As said by other devs here, I also think it'd be more effective if you
> just do the change yourself. USE="selinux" doesn't affect anything else
> so it's safe.
Ok, no problem. I'll check on IRC regardless, if not just to give a "heads
up" on changes.
Also, my apologies for not sorting the list. Careful readers will notice it
is sorted, but by the package name, not category :/
Thanks you all for the feedback!
Wkr,
Sven Vermeulen
