On Sun, 2006-06-04 at 15:18 -0400, Jeremy Katz wrote: > On Thu, 2006-06-01 at 13:51 -0500, Matt Domsch wrote: > > Should those files get compiled into modules, and installed, using > > mock's SRPM, or should they go into selinux-policy-targeted? > > Right now, they should go into the main policy package. Work is > underway to allow reasonable packaging of policy within other packages, > but there are some dependencies there which need to be handled first. I tend to agree, Whilst there are already a few packages in Extras with custom policy hacks (semanage calls mainly, though pureftpd has a custom module), there isn't yet a definitive way to do this nice and cleanly (see the "SELinux Module Packaging in FC5" thread). > Also, I'm not 100% convinced that relaxing what mock is allowed to do > unconditionally like is described there is the best approach. Not that > anything better is immediately coming to mind at the moment :-/ Major problems that need to be overcome in order to do something better include: 1. Mock itself loads a dummy libselinux, which makes everything that happens under its control believe that SELinux is disabled. 2. The entire default file context tree in policy (and add-on modules, semanage-ed custom policy tweaks etc.) would need to be duplicated for each chroot. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
