On Wed, 12 Oct 2005 12:15:42 -0400, Stephen Smalley wrote: > The module support is already in rawhide (as part of the existing SELinux > packages plus the introduction of libsemanage) but getting it properly > integrated and used there is still work in progress (but still expected > for FC5, I believe, barring any unexpected obstacles). Documentation is > woefully lacking presently, but there is a README.MODULES in selinux-doc > and some information over at > http://sepolicy-server.sourceforge.net/index.php?page=module-language The module language looks nice. I especially like the optionals feature, if only ELF had that :) > However, by itself, the module support doesn't solve the problem of > confining packages/package managers. It just allows policy modules to be > built and shipped separately from the base distro policy, with proper > dependency checking when they are installed. For access control over the > policy itself, you further need the policy server, which is also work in > progress but I don't think targeted for FC5. Hmm, I don't quite understand - my intention was to ship a binary policy module installed when the package manager is first installed, which then defines a new domain almost_but_not_quite_root (with a better name of course ;). Packages/installers would then be run in this domain instead of being unconfined. Why does this need access control on the policy itself? Or do you mean, that in FC5 it won't actually be possible to install third party policy modules? thanks -mike -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
