Vitaly Zaitsev via devel writes:
On 05/09/2021 14:52, Sam Varshavchik wrote:if only a great, overwhelming majority of Fedora package maintainers were able to write policies for their own packages and maintain it themselves because SELinux documentation was ample and easy to fllowhttps://pagure.io/packaging-committee/issue/726 https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Which parts of the above describe, and explain, how to write the SELinux policy itself? Once it's written that's a great piece of documentation to follow, to explain how to package this policy. But this is putting the cart before the horse. The package maintainers have to actually understand how to write SELinux policies, first.
The problem isn't the technical details of how to package an SELinux policy with the packge.
The problem is the domain knowledge needed to write that SELinux policy in the first place. It's siloed mostly in the selinux package itself. I assert that the documentation above is not going to be useful to 95% of the package maintainers. A few of them will know how to write a policy, and then follow the above wiki. The rest will not. Prove me wrong.
I posted this link before: https://raw.githubusercontent.com/svarshavchik/libcxx/master/packaging/fedora/libcxx.teWhere is the documentation that explains /all/ of the above, and what it means? I wrote that policy, of course, but even now, just a short time later, I can't for the life of me tell you where all that documentation is. Because there isn't, I had to figure out based on scraps of other selinux policies that I looked at, and based on my experience with other stuff that did NOT involve SELinux.
You will not find any documentation that explains /all/ of that on https://selinuxproject.org
And at most 5% of the above is explained in https://selinuxproject.org/page/RefpolicyWriteModuleAnd until the state of the world is such that SELinux is not a siloed domain, that it's amply documented, and package maintainers have documentation that they can use to write their own policy, for the package that they fully understand and support, SELinux will continue to break random stuff, over and over again.
Attachment:
pgpCGaBKog2VO.pgp
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
