[Rpm-maint] New Policy Directive

Steve Lawrence slawrence at tresys.com
Wed Aug 19 20:51:41 UTC 2009


As you know, we have been working on integrating policy into rpm.
However, we're finding the current %policy directive to be too limiting.
We've thought about altering the existing directive to take options,
similar to the %verify or %attr directives, but the alternatives we have
come up with are either not flexible enough or too verbose/complicated
and prone to error. Additionally, the %policy directive is currently in
the %files section, which doesn't really make sense since it is treated
very differently from files traditionally put in that section.

What we would like to do is remove the existing %policy directive and
replacing it with a more flexible alternative. We imagine that the new
directive would behave similar to the %files or %pre/post directives in
that it is a separate section containing many other directives.
Similarly, a string after the directive would specify which subpackage
the policy belongs. For example, the new directive might look something
like this:

%policy
%module apache.pp
%module base.pp
Base: yes
 
%policy subpackage1
%module apache.pp

%policy subpackage2
%module apache.pp
Types: mls
Priority: 700
%module firefox.pp
Priority: 500
Types: mls targeted

The %module directive would be parsed similar to the %package directive,
in that after each %module would be a number of key/value pairs defining
various aspects of that module, such as what type of policy it is and if
it is a base module. This makes specifing options very simple but allows
for us to easiliy add more options in future versions of rpm if needed.
Even with this flexibility, it remains pretty straightforward.

We would like to hear any thoughts you have on this new directive.
Additionally, do you think there could be any hesitation to replace the
current %policy directive with this new one, or something similar?

Thanks,
- Steve


More information about the Rpm-maint mailing list