[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sid SELinux packages are now working

Hello Manoj,
>         Hmm. Python. I think I looked at that when I implemented the
Well, that script actually is shell.
The python script is what I use to do the autodetection magic.

>  SELinux policy modules and debian packages, which discovers the
>  relationships between modules and orders the policy load correctly,  so
>  that it can pull in any dependency as required.

Yep, I'm generating them on compile time in my packages and storing them
in an auxillary file. shipping another 1k file with the package felt
nicer to me than computing it on install time.

>         I was thinking of looking at the module, and updating it if it
>  was different -- whether or not the version changed. Yes, I am lazy.
>         md5sum mismatch, refresh module.

I don't think this is a good idea. If I have (for whatever reason) to
modify a policy module, I'd like to be able to bump the version number a
bit to avoid it from being updated. Like bumping it to 2.x; it will be
some time until refpolicy uses 2.x version numbers and by then the
policy module will be worthless anyway.
That way, if we'd e.g. have to do a security update for the policy
package, this customized module wouldn't be updated.
I don't think there is a big cost in replacing modules with the exact
same version (they'll be processed anyway; AFAIK we don't modify the
compiled policy, but instead it's assembled again from the .pp files?)
At least not if you do all the processing in one step; doing a single
semodule -i call of course isn't cheap.
So please use the version numbers in the modules.

>         Hmm. I had not thought about blacklisting modules. I think, if
>  you have a local module that overrides a  refpolicy module, and so you
>  don't want to have the module changed at all, it should be easy enough
>  to implement a configuration file which sets a blacklist variable.

And it would be a very easy to understand behavior, nicer than the
version numbers. But I still wouldn't skip the version checking.

best regards,
Erich Schubert
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
             Reality continues to ruin my life --- Calvin            //\
   Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.   V_/_

Reply to: