[arch-general] SELinux packages status update

Timothée Ravier siosm99 at gmail.com
Sun Nov 3 18:21:26 EST 2013


On 03/11/2013 23:50, Karol Babioch wrote:
> Looks great. As soon as I have some spare time I will give it a try.

Thanks! If you're building by hand, have a look at the quick README
here: https://github.com/Siosm/siosm-selinux/blob/master/README.md

>> I'll setup an other repository for the SELinux policy as soon as I have
>> something which can boot in enforcing mode.
> What is your current approach to come up with a reasonable policy? In
> what fashion do you plan to split up the policies itself? Will your
> policies be based upon the reference ones (see [1])?
> [1]: http://oss.tresys.com/projects/refpolicy/

As far as I know, the Fedora SELinux policy is quite comprehensive and
includes most of the software used in Arch Linux. If I'm not mistaken,
it is based on the reference policy made by Tresys.

However, I'm not planning on supporting non-MLS/MCS systems and I will
probably only make one policy with support for all the SELinux features
(including MLS/MCS).

According to me, this will avoid the current status with the three
Fedora policies. This is a personal opinion: it feels like the only one
"working" is the default one (targeted) and the two others (minimal and
mls) receive minimal testing and are thus mostly useless...

I don't think we need to maintain several policy versions and I don't
want to waste time supporting policies I won't use.

The battle plan is:
* strip modules from the Fedora policy to the minimum required to boot a
minimal installation;
* fix those modules; it's probably mostly going to be about paths, as
Fedora uses libexec which we don't have, and has not yet merged
/usr/sbin with /usr/bin;
* add stripped modules back progressively.



More information about the arch-general mailing list