On Thu, 13 Oct 2005 11:29:10 -0400, Stephen Smalley wrote: > Good questions; I don't think that this has been fully resolved. MLS > compatibility is also an issue; Fedora has enabled MLS/MCS, whereas other > distros have not yet done so, and the format is affected by that. Ah, right ... yes this is the sort of thing we have to watch out for. I want to be able to distribute a single binary that works on any distro - think commercial software, though it's useful for open source projects too. > Not the "capability names" i.e. class/permission names, but the > domain/type names can vary. Right, OK, that's what I thought. My initial target is super-simple: restrict installers from loading kernel modules. I know there are lots of ways around that if this is the only restriction but I want to start simple and work up from there (next step would be to stop installers interfering with critical system files etc). One issue that will affect that is how uniform labelling is under /etc - hopefully Fedora, Gentoo and any other distros that support SELinux will move to the reference policy soon. Of course as only Fedora ships it on by default in a desktop install for now being Fedora specific is acceptable. > Yes, I agree with that. One potential issue is with installing a large > number of packages; you'd like to be able to batch up all of the policy > modules into a single policy update and load, and then unpack all of the > packages. Indeed. Autopackage can cope with that fine as it uses a two-phase install, but as AP isn't designed to run a distribution but rather distribute 3rd party software Loki Setup style, that's not much use here :) thanks -mike -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
