Hi all,
A while back my pull request to contribute a policy for sslh in Fedora was accepted and indeed all users have been protected by having the daemon confined if they use it since Fedora 23.
RHEL does not have the policy included so EPEL users aren't subject to the same benefits of selinux of this network service.
I'd like to rectify this if possible (I'm going to ignore F22 given how soon the EOL on it is and the change in behaviour that would result on users).
The draft packaging guidelines for a policy in Fedora[1][2] are rather archaic at this point but I figure I can base the changes to the spec on this to an extent.
I have a few of questions/concerns though:
1) What is the consequence of someone having selinux disabled (common in EL5 systems and to an extent EL6) with the semodule to install the .pp in %post ? Will this prevent the package from being installed and if I condition it based on getenforce output to avoid doing so on disabled system if the admin then enables selinux will the module still be installed?
2) Is it better practice to have a separate -selinux package in the spec or just do it in the one package? If a separate package what would be the best way to ensure upgrading users get the policy? I see suggestions of a -core package ... perhaps turn the main foo package into a dummy that requires both -core and -selinux?
3) If the selinux maintainers in RHEL import the sslh policy from fedora contrib at some point what affect would this have on my users? Would I need to issue a new update without the .pp and uninstalling the module to allow them to upgrade their selinux policy?
Cheers,
James
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
