Re: Revisit official SELinux support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Am Do 31 Okt 2013 11:29:32 CET schrieb Jelle van der Waa:

On 10/31/13 at 09:36am, Allan McRae wrote:

On 31/10/13 09:36, Timothée Ravier wrote:

On 29/10/2013 01:21, Allan McRae wrote:

I'd suggest that someone maintains an unofficial repo with all the
packages required to set this up to prove the work required for
continual maintenance of this has been done.  Then requests could be
made to (e.g.) add support to the kernel, providing full details of what
is required and if it has any effect on those not using SELinux.


Hi,

I've had this on my TODO list for a while but never got to finish it up
to the point of having a really functional system as it is quite time
consuming (especially the SELinux policy fixing part).

But I should have some time for it now so I'll try to make those packages.

Impact for non-SELinux users should be rather minimal:
  * kernel: TOMOYO is already enabled and need explicit boot parameter to
operate and so will SELinux once enabled. No major changes here except
for a slightly bigger kernel.
  * userspace: only a very restricted set of packages needs tweaks, but
it won't impact performance for non-SELinux users. No major changes here
except for slightly bigger packages.

Only packagers will be impacted as there are still some patches needed
and this could slow down 'core packages' updates when issues arise. But
fixes usually comes quite quickly as both Fedora and Gentoo maintain
packages with SELinux support.


Requiring patches not accepted upstream is an immediate blocker.


I see a couple of issues that will also have to be resolved for SELinux
on Arch to be usable:
  * It needs some support in pacman, otherwise package updates will be
painful;


I'm interested as a pacman developer what support would be needed, but
that too is a likely blocker.


  * It needs a proper policy tuned for Arch Linux packages. Filesystem
hierarchy differences between Fedora and Arch will prevent us from just
applying the Fedora policy to Arch;
  * Performance comparisons between no-SELinux and disabled-SELinux
installations to make sure the impact is minimal.

Cheers,

Tim






Although I'm not a fan of SELinux, it would be nice if there was a list
( wiki article ) which lists all patches we need to apply on our
packages. ( Who providers these patches btw. ) And which policy files we
need to ship with our packages
This wiki page already exists [1]. It mentions the patched packages are available in the AUR. I see no problem if someone wants to provide an unofficial binary repository for them. And as mentioned by Pablo Lezaeta, there exists a blogpost about arch with selinux [2] which is also referenced in the wiki. 

[1]: https://wiki.archlinux.org/index.php/SELinux
[2]: http://www.jamesthebard.net/site/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux