[arch-general] Revisit official SELinux support
Jelle van der Waa
jelle at vdwaa.nl
Thu Oct 31 06:29:32 EDT 2013
On 10/31/13 at 09:36am, Allan McRae wrote:
> On 31/10/13 09:36, Timothée Ravier wrote:
> > On 29/10/2013 01:21, Allan McRae wrote:
> >> I'd suggest that someone maintains an unofficial repo with all the
> >> packages required to set this up to prove the work required for
> >> continual maintenance of this has been done. Then requests could be
> >> made to (e.g.) add support to the kernel, providing full details of what
> >> is required and if it has any effect on those not using SELinux.
> > Hi,
> > I've had this on my TODO list for a while but never got to finish it up
> > to the point of having a really functional system as it is quite time
> > consuming (especially the SELinux policy fixing part).
> > But I should have some time for it now so I'll try to make those packages.
> > Impact for non-SELinux users should be rather minimal:
> > * kernel: TOMOYO is already enabled and need explicit boot parameter to
> > operate and so will SELinux once enabled. No major changes here except
> > for a slightly bigger kernel.
> > * userspace: only a very restricted set of packages needs tweaks, but
> > it won't impact performance for non-SELinux users. No major changes here
> > except for slightly bigger packages.
> > Only packagers will be impacted as there are still some patches needed
> > and this could slow down 'core packages' updates when issues arise. But
> > fixes usually comes quite quickly as both Fedora and Gentoo maintain
> > packages with SELinux support.
> Requiring patches not accepted upstream is an immediate blocker.
> > I see a couple of issues that will also have to be resolved for SELinux
> > on Arch to be usable:
> > * It needs some support in pacman, otherwise package updates will be
> > painful;
> I'm interested as a pacman developer what support would be needed, but
> that too is a likely blocker.
> > * It needs a proper policy tuned for Arch Linux packages. Filesystem
> > hierarchy differences between Fedora and Arch will prevent us from just
> > applying the Fedora policy to Arch;
> > * Performance comparisons between no-SELinux and disabled-SELinux
> > installations to make sure the impact is minimal.
> > Cheers,
> > Tim
Although I'm not a fan of SELinux, it would be nice if there was a list
( wiki article ) which lists all patches we need to apply on our
packages. ( Who providers these patches btw. ) And which policy files we
need to ship with our packages
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: Digital signature
More information about the arch-general