[Rpm-maint] New Policy Directive

devzero2000 pinto.elia at gmail.com
Fri Sep 11 12:50:58 UTC 2009

On Wed, Aug 19, 2009 at 10:51 PM, Steve Lawrence <slawrence at tresys.com>wrote:

> As you know, we have been working on integrating policy into rpm.
> However, we're finding the current %policy directive to be too limiting.
> We've thought about altering the existing directive to take options,
> similar to the %verify or %attr directives, but the alternatives we have
> come up with are either not flexible enough or too verbose/complicated
> and prone to error. Additionally, the %policy directive is currently in
> the %files section, which doesn't really make sense since it is treated
> very differently from files traditionally put in that section.
> What we would like to do is remove the existing %policy directive and
> replacing it with a more flexible alternative. We imagine that the new
> directive would behave similar to the %files or %pre/post directives in
> that it is a separate section containing many other directives.
> Similarly, a string after the directive would specify which subpackage
> the policy belongs. For example, the new directive might look something
> like this:
> %policy
> %module apache.pp
> %module base.pp
> Base: yes
> %policy subpackage1
> %module apache.pp
> %policy subpackage2
> %module apache.pp
> Types: mls
> Priority: 700
> %module firefox.pp
> Priority: 500
> Types: mls targeted
> The %module directive would be parsed similar to the %package directive,
> in that after each %module would be a number of key/value pairs defining
> various aspects of that module, such as what type of policy it is and if
> it is a base module. This makes specifing options very simple but allows
> for us to easiliy add more options in future versions of rpm if needed.
> Even with this flexibility, it remains pretty straightforward.
> We would like to hear any thoughts you have on this new directive.
> Additionally, do you think there could be any hesitation to replace the
> current %policy directive with this new one, or something similar?
Why it is necessary to declare the Types: mls or targeted or custom ? Isn't
possibile to inquiry via the selinux api the policy.pp and obtain the the
Types ?


> Thanks,
> - Steve
> _______________________________________________
> Rpm-maint mailing list
> Rpm-maint at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-maint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20090911/9d71e8dc/attachment.htm>

More information about the Rpm-maint mailing list