[arch-general] Revisit official SELinux support

Thu Oct 31 06:29:32 EDT 2013

On 10/31/13 at 09:36am, Allan McRae wrote:
> On 31/10/13 09:36, Timothée Ravier wrote:
> > On 29/10/2013 01:21, Allan McRae wrote:
> >> I'd suggest that someone maintains an unofficial repo with all the
> >> packages required to set this up to prove the work required for
> >> continual maintenance of this has been done.  Then requests could be
> >> made to (e.g.) add support to the kernel, providing full details of what
> >> is required and if it has any effect on those not using SELinux.
> > 
> > Hi,
> > 
> > I've had this on my TODO list for a while but never got to finish it up
> > to the point of having a really functional system as it is quite time
> > consuming (especially the SELinux policy fixing part).
> > 
> > But I should have some time for it now so I'll try to make those packages.
> > 
> > Impact for non-SELinux users should be rather minimal:
> >  * kernel: TOMOYO is already enabled and need explicit boot parameter to
> > operate and so will SELinux once enabled. No major changes here except
> > for a slightly bigger kernel.
> >  * userspace: only a very restricted set of packages needs tweaks, but
> > it won't impact performance for non-SELinux users. No major changes here
> > except for slightly bigger packages.
> > 
> > Only packagers will be impacted as there are still some patches needed
> > and this could slow down 'core packages' updates when issues arise. But
> > fixes usually comes quite quickly as both Fedora and Gentoo maintain
> > packages with SELinux support.
> 
> Requiring patches not accepted upstream is an immediate blocker.
> 
> > I see a couple of issues that will also have to be resolved for SELinux
> > on Arch to be usable:
> >  * It needs some support in pacman, otherwise package updates will be
> > painful;
> 
> I'm interested as a pacman developer what support would be needed, but
> that too is a likely blocker.
> 
> >  * It needs a proper policy tuned for Arch Linux packages. Filesystem
> > hierarchy differences between Fedora and Arch will prevent us from just
> > applying the Fedora policy to Arch;
> >  * Performance comparisons between no-SELinux and disabled-SELinux
> > installations to make sure the impact is minimal.
> > 
> > Cheers,
> > 
> > Tim
> > 
> > 
> 

Although I'm not a fan of SELinux, it would be nice if there was a list
( wiki article ) which lists all patches we need to apply on our
packages. ( Who providers these patches btw. ) And which policy files we
need to ship with our packages

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20131031/26a5378b/attachment-0001.asc>