[arch-general] Revisit official SELinux support

[Nicky726]

Hello, guys,

I noticed this discussion about SELinux just now... as a current maintainer of 
SELinux packages in the AUR, let me react.

First of all, since I have been very busy lately, I didn't have time to keep 
the AUR packages up-to-date, and the prospects in the near future don't look 
very good... So, if there is a willing hand among you, I can pass the 
maintanence to you, together with offline git repos and scripts I use to keep 
the packages in sync with [core], if that is of any help to you.

Now, to the support of SELinux... To enable it, there are 1) certain changes 
needed in [core] packages; 2) addition of new packages from SELinux-userspace 
project; and finally 3) changes in SELinux policy to fit the Arch.

1) as for changes in [core] packages... these are ussually  just build options, 
sometimes a patch is needed from Fedora, which is ususally upstreamed in the 
next-or-so version. From currently used packages: coreutils cronie findutils 
linux logrotate openssh pam psmisc shadow sudo systemd util-linux, in their 
out-of-date state only findutils, pam, and psmisc use those patches. The case 
of pam is more complicated, since Arch uses pam_unix2, which is not used in 
Fedora, causing the patch being harder to come by.

2) as for SELinux-userspace and others, the biggest issue is the changes 
needed due to python3/python2, and setools which is a mess. 

3) as for the policy, I never really got there deep enough, but it seems that 
especially labelling paths have to be changed to respect the status in Arch, 
so probably a new Arch SELinux policy should be created and maintained based 
on Refpolicy or Fedora policy with lots of patching of .fc files. Also, for 
reasons unknown to me, selinux-usr-checkpolicy has to be build with legacy 
version of flex to successfully build SELinux policy.

Hope, this is of some help...

Regards,
Nicky

-- 
Don't it always seem to go
That you don't know what you've got
Till it's gone

(Joni Mitchell)