[arch-general] Revisit official SELinux support
nicky726 at gmail.com
Fri Nov 1 05:36:01 EDT 2013
I noticed this discussion about SELinux just now... as a current maintainer of
SELinux packages in the AUR, let me react.
First of all, since I have been very busy lately, I didn't have time to keep
the AUR packages up-to-date, and the prospects in the near future don't look
very good... So, if there is a willing hand among you, I can pass the
maintanence to you, together with offline git repos and scripts I use to keep
the packages in sync with [core], if that is of any help to you.
Now, to the support of SELinux... To enable it, there are 1) certain changes
needed in [core] packages; 2) addition of new packages from SELinux-userspace
project; and finally 3) changes in SELinux policy to fit the Arch.
1) as for changes in [core] packages... these are ussually just build options,
sometimes a patch is needed from Fedora, which is ususally upstreamed in the
next-or-so version. From currently used packages: coreutils cronie findutils
linux logrotate openssh pam psmisc shadow sudo systemd util-linux, in their
out-of-date state only findutils, pam, and psmisc use those patches. The case
of pam is more complicated, since Arch uses pam_unix2, which is not used in
Fedora, causing the patch being harder to come by.
2) as for SELinux-userspace and others, the biggest issue is the changes
needed due to python3/python2, and setools which is a mess.
3) as for the policy, I never really got there deep enough, but it seems that
especially labelling paths have to be changed to respect the status in Arch,
so probably a new Arch SELinux policy should be created and maintained based
on Refpolicy or Fedora policy with lots of patching of .fc files. Also, for
reasons unknown to me, selinux-usr-checkpolicy has to be build with legacy
version of flex to successfully build SELinux policy.
Hope, this is of some help...
Don't it always seem to go
That you don't know what you've got
Till it's gone
More information about the arch-general