[arch-general] Revisit official SELinux support

Timothée Ravier siosm99 at gmail.com
Thu Oct 31 18:56:39 EDT 2013 

On 31/10/2013 00:36, Allan McRae wrote:
> On 31/10/13 09:36, Timothée Ravier wrote:
>> Only packagers will be impacted as there are still some patches needed
>> and this could slow down 'core packages' updates when issues arise. But
>> fixes usually comes quite quickly as both Fedora and Gentoo maintain
>> packages with SELinux support.
> 
> Requiring patches not accepted upstream is an immediate blocker.

Sorry, I chose my words poorly. I meant two things:
  * First, patches required for SELinux should be pushed and accepted
upstream. I don't know the current state about those. I'll post an
update later.
  * Future core packages releases may require patches to make SELinux
work or even make the packages build with SELinux activated. On this
front there isn't too much to be concerned of as both Gentoo and Fedora
SELinux folks are affected by those issues too and will surely provide
patches which we could push upstream if necessary.

>> I see a couple of issues that will also have to be resolved for SELinux
>> on Arch to be usable:
>>  * It needs some support in pacman, otherwise package updates will be
>> painful;
> 
> I'm interested as a pacman developer what support would be needed, but
> that too is a likely blocker.

First, as I don't know pacman internals very well, I may say/assume
stupid things. Please correct me if that happens.

Among other things, SELinux use labels stored in files extended
attributes to do access control. You can reset those attributes to the
default values from the policy using the restorecon command tool or
using a function in the libselinux library.

However, I suspect that updating packages using pacman will overwrite
those attributes, requiring relabeling at each update as we don't know
which files had their attributes changed.

What's needed is a switch/option in pacman to restore SELinux labels on
both new files and files that have been overwritten during update.

I'll work on a patch once I got a test system running again.

Is this something unacceptable to put in pacman?

Tim

More information about the arch-general mailing list