Re: How is the upstream SELinux refpolicy tied into Fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31/03/2023 17:08, Petr Lautrbach wrote:
David Sommerseth <dazo@xxxxxxxxxxxx> writes:

On 31/03/2023 16:36, Neal Gompa wrote:
On Fri, Mar 31, 2023 at 9:58 AM David Sommerseth <dazo@xxxxxxxxxxxx> wrote:


Hi,

I had an upstream SELinux pull-request merged in autumn 2020 [1].  But I
still don't see this SELinux boolean flag (renamed [2] to
"dbus_pass_tuntap_fd") present in Fedora 38.  So I wonder how the
SELinux refpolicy is consumed into Fedora's SELinux policies ... when
can I expect to see this in Fedora and RHEL SELinux policies?


The best way is to create a bug with a request to backport a patch or
create a PR on github.com/fedora-selinux/selinux-policy

Alright, I'll wrap up a patch and pull-req for fedora-selinux too.

But for OpenVPN 3 Linux I do have an additional policy for a few of the D-Bus services as well. Would it make sense to just keep them in the openvpn3-linux project, or should I try to get them to some more widespread SELinux reference policies?

Considering the discoveries of today, I'm kind a wondering if it's best to keep it how it is. That way I can ensure it's available on all distributions with SELinux support more easily. But I'm open to think differently.

[...snip...]

Maybe not the right place to ask ... but what is the purpose and goal of
the SELinux refpolicy project if several of the larger Linux
distributions doesn't pay attention to it?

I kinda would expect that lots of the SELinux policy details in Fedora
would be pretty much the same challenges in other distributions as well.


AFAIK refpolicy was more conservative while fedora-selinux was more
focused on usability on desktop. They're still somehow compatible, they
use same build process and backports from or to fedora-selinux still happen
from time to time, but fedora-selinux is not considered as fork anymore.

Okay, good to know. Is fedora-selinux specific to Fedora/RHEL only, or does other distributions also use this as their refpolicy?


--
kind regards,

David Sommerseth
OpenVPN Inc

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux