Re: Policy Module Packaging Guidelines (first draft)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wart wrote:
Paul Howarth wrote:
I've written up my thoughts on packaging policy modules with applications:

http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

Fire away!

Looks good!

* s/scrope/scope/

Kindly fixed by Matthew yesterday.

* In the 'separate subpackage' section do you want to add a note about
making the -selinux subpackage an entirely new package with its own
specfile, instead of a subpackage in an existing spec file?

Advantages:

Keeps the spec files much simpler and easier to read.
Allows for separate maintainers of the main and -selinux packages.
selinux packages can be updated without pushing new builds of the main
package

Disadvantages:

Care must be taken to make sure that the selinux package is updated with
the main package as needed.
What value should be given for the URL and License tags in the spec file?

I think this idea merits some discussion. I tend of think of policy modules as being rather like kernel modules, in that they're things that are useful and usable whilst still under development but that ideally should eventually become unnecessary because they get merged into the main upstream project. So a separate package should be a short-lived package really.

I see the merits of having a separate package but I'd be in favour of such packages having to be justified as per kernel modules, along with a roadmap for an upstream merge.

* I like the inclusion of the source files in %doc.  That can be
extremely useful.

* You should note that you can't use 'service myapp condrestart' in
%postun to transition a daemon process back to the unconfined domain
after the module has been unloaded.  You have to first transition the
daemon domain, then remove the policy module.  Otherwise the process
will end up in an odd state and can't be killed until selinux is disabled:

%postun selinux
    /usr/sbin/setsebool %{name}_disable_trans 1
    /sbin/service %{name} condrestart > /dev/null 2>&1 || :
    for selinuxvariant in %{selinux_variants} ; do
        /usr/sbin/semodule -s ${selinuxvariant} -r mymodule &> /dev/null
|| :
    done

Note added.

* How should the selinux policy module be versioned?  Should it match
the application versioning?  Are there any restrictions on policy module
version numbers?

I don't think that policy numbers need bear any resemblance to the main package version; I've added a note to that effect. I'm not sure what the actual restrictions are on numbering, e.g whether any characters not in the class [0-9.] are allowed.

* Using %{name} instead of 'myapp' in the templates would make it easier
to copy/paste them into existing packages

I don't think "myapp" appears anywhere where it wouldn't be completely replaced in the template, so I don't think changing it to %{name} would be useful. However, the module name "mymodule" appears in a way that is very generic, so I added a define of %{modulename} at the top of the template and replaced "mymodule" with "%{modulename}" everywhere.

* Don't you want to call 'fixfiles -R' in the %post and %postun sections
of the sample templates?  You included it in the scriptlets section above.

I did, but I think the scriptlet code is likely to be so different for different packages that I didn't want to include too much in there on the basis that some people might just cut-and-paste things that aren't necessary.

How about I use "restorecon" in one of the templates and "fixfiles" in the other, in order to illustrate that there's no one "right" way of doing it?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux