lör 2007-10-20 klockan 11:52 +0300 skrev Panu Matilainen: > If each package were fully in control of it's own policies, > storing the labels in packages themselves might make sense. I think it's good to keep in mind that SELinux is, as I see it, separate from everything else _by design_. It's a firewall, it's a part of multi-layer security. It's supposed to describe not really a policy but rather "expected behaviour", in a form that is separate from the actual policy and behaviour (the software itself). That way, if the behaviour of the software is not what we expected it to be (a security problem), maybe the description of the behaviour (the SELinux policy) is what was expected, and thus this layer of security catches the problem. Thus, it's not strange that it's perhaps a bit difficult to integrate SELinux with the rest of the system. I maintain a package that I'd like to submit to Fedora. But before I do that I need to figure out how to make it play nicely with SELinux. (It's the Heimdal Kerberos implementation. It has a telnetd that is launched from xinetd, so it needs to break out of the context xinetd is running as before exec:ing the user's shell.) It works if you setsebool the right config key, but I don't really know how to solve it the proper way. Would putting the policy in the package actually help make my problem easier? Since I don't understand the problem fully and don't know how to fix it, I would still need to talk to the people who know SELinux well. That means it's not really a problem to let them update the central policy files instead of me doing whatever needs to be done in the package. /abo -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
