Jonathan Underwood wrote:
On 09/05/07, Till Maas <opensource@xxxxxxxxx> wrote:
[snip]
There are some drafts in:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux
[snip]
I have been following this discussion a bit, and have read those draft
packaging guidelines, and find myself as a packager rather confused.
That draft details how to add support for SElinux to your package.
But, what isn't clear to me is what the policy is for SElinux support
more globally. Recently I've filed a few bugs against packages that
have had problems with SElinux contexts and in each case the packager
has re-assigned the bugs to the SElinux team, who have fixed the issue
in an updated SElinux policy package.
This would imply that the policy package is where things should be
fixed, SElinux wise. But now that draft leaves me wondering if that is
incorrect.
Sooo.. where should SElinux contexts be set, in each package, or in
the SElinux policy package?
[Sorry if this is a dumb question]
There isn't a single correct answer for that one.
If the program's behaviour is causing SELinux issues (unnecessary
relocations, leaked file descriptors etc.) then the program should be fixed.
If file contexts need setting, the best place to do it is in the main
policy package. This is common with web applications for instance.
There are also more complex cases such as daemons for which no policy
currently exists. This may require the writing of policy for the daemon,
including the introduction of new file context types. This is probably
best done by writing and packaging a policy module (see also
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules)
and, when the resulting policy appears stable, to get that policy merged
into the upstream reference policy.
Paul.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
