On 29/10/2013 01:21, Allan McRae wrote: > I'd suggest that someone maintains an unofficial repo with all the > packages required to set this up to prove the work required for > continual maintenance of this has been done. Then requests could be > made to (e.g.) add support to the kernel, providing full details of what > is required and if it has any effect on those not using SELinux. Hi, I've had this on my TODO list for a while but never got to finish it up to the point of having a really functional system as it is quite time consuming (especially the SELinux policy fixing part). But I should have some time for it now so I'll try to make those packages. Impact for non-SELinux users should be rather minimal: * kernel: TOMOYO is already enabled and need explicit boot parameter to operate and so will SELinux once enabled. No major changes here except for a slightly bigger kernel. * userspace: only a very restricted set of packages needs tweaks, but it won't impact performance for non-SELinux users. No major changes here except for slightly bigger packages. Only packagers will be impacted as there are still some patches needed and this could slow down 'core packages' updates when issues arise. But fixes usually comes quite quickly as both Fedora and Gentoo maintain packages with SELinux support. I see a couple of issues that will also have to be resolved for SELinux on Arch to be usable: * It needs some support in pacman, otherwise package updates will be painful; * It needs a proper policy tuned for Arch Linux packages. Filesystem hierarchy differences between Fedora and Arch will prevent us from just applying the Fedora policy to Arch; * Performance comparisons between no-SELinux and disabled-SELinux installations to make sure the impact is minimal. Cheers, Tim
