Hi, On 03/11/2013 23:50, Karol Babioch wrote:
Looks great. As soon as I have some spare time I will give it a try.
Thanks! If you're building by hand, have a look at the quick README here: https://github.com/Siosm/siosm-selinux/blob/master/README.md
I'll setup an other repository for the SELinux policy as soon as I have something which can boot in enforcing mode.
What is your current approach to come up with a reasonable policy? In what fashion do you plan to split up the policies itself? Will your policies be based upon the reference ones (see [1])?
As far as I know, the Fedora SELinux policy is quite comprehensive and includes most of the software used in Arch Linux. If I'm not mistaken, it is based on the reference policy made by Tresys. However, I'm not planning on supporting non-MLS/MCS systems and I will probably only make one policy with support for all the SELinux features (including MLS/MCS). According to me, this will avoid the current status with the three Fedora policies. This is a personal opinion: it feels like the only one "working" is the default one (targeted) and the two others (minimal and mls) receive minimal testing and are thus mostly useless... I don't think we need to maintain several policy versions and I don't want to waste time supporting policies I won't use. The battle plan is: * strip modules from the Fedora policy to the minimum required to boot a minimal installation; * fix those modules; it's probably mostly going to be about paths, as Fedora uses libexec which we don't have, and has not yet merged /usr/sbin with /usr/bin; * add stripped modules back progressively. Cheers, Tim