On 31/10/13 09:36, Timothée Ravier wrote: > On 29/10/2013 01:21, Allan McRae wrote: >> I'd suggest that someone maintains an unofficial repo with all the >> packages required to set this up to prove the work required for >> continual maintenance of this has been done. Then requests could be >> made to (e.g.) add support to the kernel, providing full details of what >> is required and if it has any effect on those not using SELinux. > > Hi, > > I've had this on my TODO list for a while but never got to finish it up > to the point of having a really functional system as it is quite time > consuming (especially the SELinux policy fixing part). > > But I should have some time for it now so I'll try to make those packages. > > Impact for non-SELinux users should be rather minimal: > * kernel: TOMOYO is already enabled and need explicit boot parameter to > operate and so will SELinux once enabled. No major changes here except > for a slightly bigger kernel. > * userspace: only a very restricted set of packages needs tweaks, but > it won't impact performance for non-SELinux users. No major changes here > except for slightly bigger packages. > > Only packagers will be impacted as there are still some patches needed > and this could slow down 'core packages' updates when issues arise. But > fixes usually comes quite quickly as both Fedora and Gentoo maintain > packages with SELinux support. Requiring patches not accepted upstream is an immediate blocker. > I see a couple of issues that will also have to be resolved for SELinux > on Arch to be usable: > * It needs some support in pacman, otherwise package updates will be > painful; I'm interested as a pacman developer what support would be needed, but that too is a likely blocker. > * It needs a proper policy tuned for Arch Linux packages. Filesystem > hierarchy differences between Fedora and Arch will prevent us from just > applying the Fedora policy to Arch; > * Performance comparisons between no-SELinux and disabled-SELinux > installations to make sure the impact is minimal. > > Cheers, > > Tim > >
