[arch-general] Revisit official SELinux support

ProgAndy admin at progandy.de
Thu Oct 31 11:36:56 EDT 2013


Am Do 31 Okt 2013 11:29:32 CET schrieb Jelle van der Waa:
> On 10/31/13 at 09:36am, Allan McRae wrote:
>> On 31/10/13 09:36, Timothée Ravier wrote:
>>> On 29/10/2013 01:21, Allan McRae wrote:
>>>> I'd suggest that someone maintains an unofficial repo with all the
>>>> packages required to set this up to prove the work required for
>>>> continual maintenance of this has been done.  Then requests could be
>>>> made to (e.g.) add support to the kernel, providing full details of what
>>>> is required and if it has any effect on those not using SELinux.
>>>
>>> Hi,
>>>
>>> I've had this on my TODO list for a while but never got to finish it up
>>> to the point of having a really functional system as it is quite time
>>> consuming (especially the SELinux policy fixing part).
>>>
>>> But I should have some time for it now so I'll try to make those packages.
>>>
>>> Impact for non-SELinux users should be rather minimal:
>>>   * kernel: TOMOYO is already enabled and need explicit boot parameter to
>>> operate and so will SELinux once enabled. No major changes here except
>>> for a slightly bigger kernel.
>>>   * userspace: only a very restricted set of packages needs tweaks, but
>>> it won't impact performance for non-SELinux users. No major changes here
>>> except for slightly bigger packages.
>>>
>>> Only packagers will be impacted as there are still some patches needed
>>> and this could slow down 'core packages' updates when issues arise. But
>>> fixes usually comes quite quickly as both Fedora and Gentoo maintain
>>> packages with SELinux support.
>>
>> Requiring patches not accepted upstream is an immediate blocker.
>>
>>> I see a couple of issues that will also have to be resolved for SELinux
>>> on Arch to be usable:
>>>   * It needs some support in pacman, otherwise package updates will be
>>> painful;
>>
>> I'm interested as a pacman developer what support would be needed, but
>> that too is a likely blocker.
>>
>>>   * It needs a proper policy tuned for Arch Linux packages. Filesystem
>>> hierarchy differences between Fedora and Arch will prevent us from just
>>> applying the Fedora policy to Arch;
>>>   * Performance comparisons between no-SELinux and disabled-SELinux
>>> installations to make sure the impact is minimal.
>>>
>>> Cheers,
>>>
>>> Tim
>>>
>>>
>>
>
> Although I'm not a fan of SELinux, it would be nice if there was a list
> ( wiki article ) which lists all patches we need to apply on our
> packages. ( Who providers these patches btw. ) And which policy files we
> need to ship with our packages
>
>

This wiki page already exists [1]. It mentions the patched packages are 
available in the AUR. I see no problem if someone wants to provide an 
unofficial binary repository for them. And as mentioned by Pablo 
Lezaeta, there exists a blogpost about arch with selinux [2] which is 
also referenced in the wiki.

[1]: https://wiki.archlinux.org/index.php/SELinux
[2]: 
http://www.jamesthebard.net/site/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/


More information about the arch-general mailing list