[Rpm-maint] [RFC] Packaging SELinux Policy in RPMs
Steve Lawrence
slawrence at tresys.com
Wed Apr 14 17:30:58 UTC 2010
On Fri, 2010-04-09 at 10:40 -0400, James Antill wrote:
> On Thu, 2010-04-01 at 16:45 -0400, Steve Lawrence wrote:
<snip>
It seems like you are in favor of bundling all policy into a single
policy package, adding that as a requirement, and always installing it.
This is certainly the easiest and least intrusive solution, though we're
still not convinced it is the best long-term solution. That said, we're
happy to move forward with it if you see it as the best option. Before
the decision is made though, we want to make sure the consequences are
clear:
Installing SELinux Policy and Infrastructure Becomes a Requirement
Right now, SELinux policy and the infrastructure (e.g. libsemanage,
policycoreutils) does not need to be installed. With this change
though, it becomes a requirement. For example, apache.rpm will require
apache-policy, and apache-policy will require selinux-policy, which
requires policycoreutils and libsemanage. So if you want apache, then
selinux-policy and the entire SELinux infrastructure will be required
and installed. While this may not be a big deal, it is a very
different behavior that some might not expect, especially since the
apache modules may not even be installed even though apache-policy.rpm
is.
Obsoleting/Customizing Modules is Difficult
You give the example that you can just update the packages and add
conflicts with the previous versions. I agree, for RH, this is a
simple solution. However, if you aren't RH, this isn't easy. You would
need to create your own version of the packages with your changes, and
then watch for any changes to those packages from RH. This is alot of
work when all you may want to package is an updated type or module.
Policy Type Switching is Still A Problem
When we install policy packages, we would check to see if the modules
from that package should actually be installed. For example, if only
targeted policy is installed, we can't install the mls apache module
(even though apache-policy.rpm is installed). However, if we want to
switch to an mls policy after apache-policy.rpm has already been
installed, we need to detect that and install the mls apache
module. This would likely need to be performed by a separate tool.
Unless you are saying we should install all policy types all the time.
In this case, all you need to do to switch types is edit
/etc/selinux/config. However, actually installing all policy types
(not just the rpms) all the time is going to increase the rpm transaction
time, since there would be a separate semodule call per type, which is
very slow.
More information about the Rpm-maint
mailing list