On 01/11/13 08:56, Timothée Ravier wrote: > On 31/10/2013 00:36, Allan McRae wrote: >> On 31/10/13 09:36, Timothée Ravier wrote: >>> Only packagers will be impacted as there are still some patches needed >>> and this could slow down 'core packages' updates when issues arise. But >>> fixes usually comes quite quickly as both Fedora and Gentoo maintain >>> packages with SELinux support. >> >> Requiring patches not accepted upstream is an immediate blocker. > > Sorry, I chose my words poorly. I meant two things: > * First, patches required for SELinux should be pushed and accepted > upstream. I don't know the current state about those. I'll post an > update later. > * Future core packages releases may require patches to make SELinux > work or even make the packages build with SELinux activated. On this > front there isn't too much to be concerned of as both Gentoo and Fedora > SELinux folks are affected by those issues too and will surely provide > patches which we could push upstream if necessary. It is completely necessary that all these patches are pushed upstream due to the Arch patching policy. >>> I see a couple of issues that will also have to be resolved for SELinux >>> on Arch to be usable: >>> * It needs some support in pacman, otherwise package updates will be >>> painful; >> >> I'm interested as a pacman developer what support would be needed, but >> that too is a likely blocker. > > First, as I don't know pacman internals very well, I may say/assume > stupid things. Please correct me if that happens. > > Among other things, SELinux use labels stored in files extended > attributes to do access control. You can reset those attributes to the > default values from the policy using the restorecon command tool or > using a function in the libselinux library. > > However, I suspect that updating packages using pacman will overwrite > those attributes, requiring relabeling at each update as we don't know > which files had their attributes changed. > > What's needed is a switch/option in pacman to restore SELinux labels on > both new files and files that have been overwritten during update. > > I'll work on a patch once I got a test system running again. > > Is this something unacceptable to put in pacman? Sounds like this should be a post update hook. But we don't have hooks yet... A
