On 10/31/13 at 09:36am, Allan McRae wrote: > On 31/10/13 09:36, Timothée Ravier wrote: > > On 29/10/2013 01:21, Allan McRae wrote: > >> I'd suggest that someone maintains an unofficial repo with all the > >> packages required to set this up to prove the work required for > >> continual maintenance of this has been done. Then requests could be > >> made to (e.g.) add support to the kernel, providing full details of what > >> is required and if it has any effect on those not using SELinux. > > > > Hi, > > > > I've had this on my TODO list for a while but never got to finish it up > > to the point of having a really functional system as it is quite time > > consuming (especially the SELinux policy fixing part). > > > > But I should have some time for it now so I'll try to make those packages. > > > > Impact for non-SELinux users should be rather minimal: > > * kernel: TOMOYO is already enabled and need explicit boot parameter to > > operate and so will SELinux once enabled. No major changes here except > > for a slightly bigger kernel. > > * userspace: only a very restricted set of packages needs tweaks, but > > it won't impact performance for non-SELinux users. No major changes here > > except for slightly bigger packages. > > > > Only packagers will be impacted as there are still some patches needed > > and this could slow down 'core packages' updates when issues arise. But > > fixes usually comes quite quickly as both Fedora and Gentoo maintain > > packages with SELinux support. > > Requiring patches not accepted upstream is an immediate blocker. > > > I see a couple of issues that will also have to be resolved for SELinux > > on Arch to be usable: > > * It needs some support in pacman, otherwise package updates will be > > painful; > > I'm interested as a pacman developer what support would be needed, but > that too is a likely blocker. > > > * It needs a proper policy tuned for Arch Linux packages. Filesystem > > hierarchy differences between Fedora and Arch will prevent us from just > > applying the Fedora policy to Arch; > > * Performance comparisons between no-SELinux and disabled-SELinux > > installations to make sure the impact is minimal. > > > > Cheers, > > > > Tim > > > > > Although I'm not a fan of SELinux, it would be nice if there was a list ( wiki article ) which lists all patches we need to apply on our packages. ( Who providers these patches btw. ) And which policy files we need to ship with our packages -- Jelle van der Waa
Attachment:
signature.asc
Description: Digital signature
