Re: [gentoo-hardened] SELinux policy module packages

Tue, 22 Feb 2011 12:21:35 -0800 

On Mon, Feb 21, 2011 at 05:49:59PM -0500, Anthony G. Basile wrote:
> I am in agreement, but I hesitate because moving packages is a pita.  If
> it can be done with minimal disruption, then lets move in that
> direction.  Do you know what current sec-policy/selinux-* are in violation?

A quick check shows:
        selinux-acpi            (apm)
        selinux-audio-entropyd  (audioentropy)
        selinux-courier-imap    (courier)
        selinux-cyrus-sasl      (sasl)
        selinux-desktop         (xserver xfs mplayer mozilla java mono wine)
        selinux-ftpd            (ftp)
        selinux-gnupg           (gpg)
        selinux-hal             (hal dmidecode)
        selinux-jabber-server   (jabber)
        selinux-nfs             (rpc)
        selinux-ucspi-tcp       (ucspitcp)

The other 193 packages do follow this convention already.

I don't think we need to force a rename. We can just update the
packages that depend on them (there aren't many yet, so the work should be
limited) and let the old ones "die" (in a more ideal scenario, all
sec-policy/ packages are pulled in as dependencies except for the
selinux-base-policy one). Every time the parent packages are updated, we
update the old package as well to become "empty". The new package contains
a blocker on the old package which Portage hopefully resolves correctly (so
that we don't have a file collision on the /usr/share/selinux/*/*.pp files).

Or, in somewhat more schematic approach...

Phase 1 (as-is)
===============

app-crypt/gnupg-A               dependson       sec-policy/selinux-gnupg-X

Phase 2
=======

In one "commit": update gnupg (A->B), selinux-gnupg (X->Y), introduce
selinux-gpg. As a result, Portage will install selinux-gpg. The blocker
tells Portage that selinux-gnupg needs to be updated (towards the "empty"
package) first. For SELinux itself, this doesn't matter as the policy module
is loaded (even when it has disappeared from /usr/share/selinux/*/*.pp)

app-crypt/gnupg-B               dependson       sec-policy/selinux-gpg-1
sec-policy/selinux-gnupg-Y      blocks          !~sec-policy/selinux-gnupg-X

Phase 3 (fade-out)
==================

sec-policy/selinux-gnupg is removed from Portage tree.



BTW, the selinux-desktop one is a weird one and my suggestion would be to
purge it (it's not manageable).

Wkr,
        Sven Vermeulen

Reply via email to