[arch-general] Revisit official SELinux support
Allan McRae
allan at archlinux.org
Thu Oct 31 21:10:12 EDT 2013
On 01/11/13 08:56, Timothée Ravier wrote:
> On 31/10/2013 00:36, Allan McRae wrote:
>> On 31/10/13 09:36, Timothée Ravier wrote:
>>> Only packagers will be impacted as there are still some patches needed
>>> and this could slow down 'core packages' updates when issues arise. But
>>> fixes usually comes quite quickly as both Fedora and Gentoo maintain
>>> packages with SELinux support.
>>
>> Requiring patches not accepted upstream is an immediate blocker.
>
> Sorry, I chose my words poorly. I meant two things:
> * First, patches required for SELinux should be pushed and accepted
> upstream. I don't know the current state about those. I'll post an
> update later.
> * Future core packages releases may require patches to make SELinux
> work or even make the packages build with SELinux activated. On this
> front there isn't too much to be concerned of as both Gentoo and Fedora
> SELinux folks are affected by those issues too and will surely provide
> patches which we could push upstream if necessary.
It is completely necessary that all these patches are pushed upstream
due to the Arch patching policy.
>>> I see a couple of issues that will also have to be resolved for SELinux
>>> on Arch to be usable:
>>> * It needs some support in pacman, otherwise package updates will be
>>> painful;
>>
>> I'm interested as a pacman developer what support would be needed, but
>> that too is a likely blocker.
>
> First, as I don't know pacman internals very well, I may say/assume
> stupid things. Please correct me if that happens.
>
> Among other things, SELinux use labels stored in files extended
> attributes to do access control. You can reset those attributes to the
> default values from the policy using the restorecon command tool or
> using a function in the libselinux library.
>
> However, I suspect that updating packages using pacman will overwrite
> those attributes, requiring relabeling at each update as we don't know
> which files had their attributes changed.
>
> What's needed is a switch/option in pacman to restore SELinux labels on
> both new files and files that have been overwritten during update.
>
> I'll work on a patch once I got a test system running again.
>
> Is this something unacceptable to put in pacman?
Sounds like this should be a post update hook. But we don't have hooks
yet...
A
More information about the arch-general
mailing list