On Tue, 2004-04-06 at 20:02 -0400, Colin Walters wrote: > On Tue, 2004-04-06 at 19:46, Jeremy Katz wrote: > > I actually pretty strongly disagree here. I think that we need to move > > to where policy for various daemons is included and maintained along > > with the daemon. > > The reason policy is centralized is because it allows one to easily > analyze the entire thing at once, and also makes it easier to make > sweeping changes by modifying just a few files. This could be argued for a lot of other things too. It's completely unscalable, though. I'll reference specspo again. Also, it means that whenever something new is added, either a) the person adding the package has to analyze it and then add to the policy package (which they don't own) and make the changes or b) the owner of the policy package has to update every time this happens. and be told about it. this doesn't happen (cf problems with packages never ending up in comps) > > Otherwise, we have a never-ending battle of one huge > > monolithic package that will end up with bizarre dependencies on apps. > > I'm not sure I understand - how does policy depend on applications? Right now we have policy dependent on a new enough kernel. I'm willing to bet that we'll get an application behavior change at some point that's going to end up making the policy require a specific version of some program. It's even worse if they're not specified (and to some extent, this is currently the case -- we know that the policy will break if you don't have new enough versions of some packages that have required SELinux specific changes) > > There's a reason we don't, eg, put all of the German translations for > > everything we ship in, eg, a translations-german package. It just > > doesn't scale maintenance wise. > > Translations are different from SELinux security policy in that they're > mostly independent of one another. I don't think that they're really any more independent than the policy _should_ be. The policy for sendmail should have no relation to the policy for httpd. The two are orthogonal to each other. Sure, there's going to be some base set that everything depends on, but that's true in other cases too (see core eight or so packages that everything in the distribution depends on) Jeremy
