On 01/11/13 08:56, Timothée Ravier wrote:
On 31/10/2013 00:36, Allan McRae wrote:
On 31/10/13 09:36, Timothée Ravier wrote:
Only packagers will be impacted as there are still some patches needed and this could slow down 'core packages' updates when issues arise. But fixes usually comes quite quickly as both Fedora and Gentoo maintain packages with SELinux support.
Requiring patches not accepted upstream is an immediate blocker.
Sorry, I chose my words poorly. I meant two things: * First, patches required for SELinux should be pushed and accepted upstream. I don't know the current state about those. I'll post an update later. * Future core packages releases may require patches to make SELinux work or even make the packages build with SELinux activated. On this front there isn't too much to be concerned of as both Gentoo and Fedora SELinux folks are affected by those issues too and will surely provide patches which we could push upstream if necessary.
It is completely necessary that all these patches are pushed upstream due to the Arch patching policy.
I see a couple of issues that will also have to be resolved for SELinux on Arch to be usable: * It needs some support in pacman, otherwise package updates will be painful;
I'm interested as a pacman developer what support would be needed, but that too is a likely blocker.
First, as I don't know pacman internals very well, I may say/assume stupid things. Please correct me if that happens.
Among other things, SELinux use labels stored in files extended attributes to do access control. You can reset those attributes to the default values from the policy using the restorecon command tool or using a function in the libselinux library.
However, I suspect that updating packages using pacman will overwrite those attributes, requiring relabeling at each update as we don't know which files had their attributes changed.
What's needed is a switch/option in pacman to restore SELinux labels on both new files and files that have been overwritten during update.
I'll work on a patch once I got a test system running again.
Is this something unacceptable to put in pacman?
Sounds like this should be a post update hook. But we don't have hooks yet... A