[arch-general] Revisit official SELinux support

Allan McRae allan at archlinux.org
Wed Oct 30 19:36:56 EDT 2013 

On 31/10/13 09:36, Timothée Ravier wrote:
> On 29/10/2013 01:21, Allan McRae wrote:
>> I'd suggest that someone maintains an unofficial repo with all the
>> packages required to set this up to prove the work required for
>> continual maintenance of this has been done.  Then requests could be
>> made to (e.g.) add support to the kernel, providing full details of what
>> is required and if it has any effect on those not using SELinux.
> 
> Hi,
> 
> I've had this on my TODO list for a while but never got to finish it up
> to the point of having a really functional system as it is quite time
> consuming (especially the SELinux policy fixing part).
> 
> But I should have some time for it now so I'll try to make those packages.
> 
> Impact for non-SELinux users should be rather minimal:
>  * kernel: TOMOYO is already enabled and need explicit boot parameter to
> operate and so will SELinux once enabled. No major changes here except
> for a slightly bigger kernel.
>  * userspace: only a very restricted set of packages needs tweaks, but
> it won't impact performance for non-SELinux users. No major changes here
> except for slightly bigger packages.
> 
> Only packagers will be impacted as there are still some patches needed
> and this could slow down 'core packages' updates when issues arise. But
> fixes usually comes quite quickly as both Fedora and Gentoo maintain
> packages with SELinux support.

Requiring patches not accepted upstream is an immediate blocker.

> I see a couple of issues that will also have to be resolved for SELinux
> on Arch to be usable:
>  * It needs some support in pacman, otherwise package updates will be
> painful;

I'm interested as a pacman developer what support would be needed, but
that too is a likely blocker.

>  * It needs a proper policy tuned for Arch Linux packages. Filesystem
> hierarchy differences between Fedora and Arch will prevent us from just
> applying the Fedora policy to Arch;
>  * Performance comparisons between no-SELinux and disabled-SELinux
> installations to make sure the impact is minimal.
> 
> Cheers,
> 
> Tim
> 
>

More information about the arch-general mailing list