[Rpm-maint] [RFC] Packaging SELinux Policy in RPMs

Chad Sellers csellers at tresys.com
Thu Apr 8 17:30:15 UTC 2010


On 4/1/10 4:45 PM, "Steve Lawrence" <slawrence at tresys.com> wrote:

<snip>
> 
> One method that could solve this is conditional requirements. For
> example, something along these lines:
> 
>     Requires: selinux-policy-targeted ? apache-policy-targeted
>     Requires: selinux-policy-mls ? apache-policy-mls
> 
> This would automatically require the correct policies based on the
> currently installed base policies, and completely eliminates the type
> switching issue. However, this may be difficult to implement and could
> affect a lot of rpm dependency checking. This is further complicated if
> real conditionals, such as else, not, and, or, and nested conditionals
> are desired, though they shouldn't be needed for policy requirements.
> 
> A similar option, but perhaps not as difficult, would be to add runtime
> macro expansion in Requires.  For example, you might have something like
> this:
> 
>     Requires: apache-policy-%{SELINUX_TYPE}
> 
<snip>

Has the idea of more dynamic Requires been discussed before? It seems that
either design would add a huge amount of flexibility to the process of
figuring out what packages to install. Unfortunately, I'd assume they also
add a huge amount of complexity to both rpm and yum. Am I off in that
assumption?

Has anyone ever needed more dynamic Requires like this? My feeling is that
this complexity would not be worth it just for SELinux. Then again, perhaps
I'm overestimating what this would entail.

Thanks,
Chad
 



More information about the Rpm-maint mailing list