-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/31/2013 08:43 AM, Steve Lawrence wrote: > On 10/30/2013 04:47 PM, Stephen Smalley wrote: >> On 10/30/2013 04:43 PM, Stephen Smalley wrote: >>> On 10/30/2013 04:36 PM, Daniel J Walsh wrote: >>>> Well we have done some work on combining like domains, see antivirus >>>> and spamassassin, but this is a lot of work which no one has time >>>> for. >>>> >>>> I would love to see the mailserver and mailclients domains combined. >>>> >>>> If people want to suggest or more importantly submit patches to >>>> combine other domains, I am all for it. >>>> >>>> Problems with shipping policy within rpm still exists. although we >>>> (Red Hat) are at least moving toward layered products shipping their >>>> own policy. openstack-selinux, openshift-selinux, gluster-selinux. >>>> This is more for them updating quicker then RHEL. >>>> >>>> 1. semanage is slowwwwwwwww. If we ran all pp files without >>>> combining them into a single transaction the installation and yum >>>> updates would take a long time. >>> >>> Yes, I have to wonder if we don't need a complete overhaul/replacement >>> of libsemanage (+ module portions of libsepol). It seems like >>> semodule/semanage transactions are far slower than running the entire >>> policy through checkpolicy again (i.e. just using source modules and >>> running them through m4 + checkpolicy on each transaction, ala the >>> source policy module work that sadly has yet to reach >>> maturity/completion). >> >> However, on this note, I'm pretty sure that the rpm work allows you to >> just collect up all of the policy modules and run semodule once at the >> end (collections or whatever). So that particular problem should be >> solved already even for the binary modules. >> > > This is correct. the collection feature of RPM gathers up all selinux > policies from all the rpms in the yum/rpm transaction and installs them all > in a single semanage transaction. Note that although the work was > upstreamed, last I checked, the building of the selinux plugin that > performs the work to aggregate and install the policy modules is currently > disabled on fedora. > >>> >>>> 2. Cordination between domains, we put a fix into an interface and >>>> we need to trigger 10 packages to update. >>>> >>>> For every apache bug in policy, do we want to wait for an update >>>> apache package, or do we ship lots more packages. >>> >>> That's also fixed if we go with source modules, right, since interface >>> change would get applied by the m4 + checkpolicy cycle. Or CIL. >>> >>>> 3. Uninstall of types leaves unlabeled_t content on disk. >>> >>> That's the only one that seems fundamental. What if we pushed all >>> file type declarations into their own module linked to the base >>> filesystem package and just always installed that? That won't affect >>> policy size substantially; it is the allow rules that are the issue >>> IIUC, not just the type decls. >>> > > The way this is handled in the RPM collection feature is modules are never > uninstalled, even if the package that installed that module is. Not ideal, > but it solves this problem. > > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes > as the message. Can you open a bugzilla on this, and show me point me at documentation on how to use this. In current Fedora we are attempting to ship a binary policy precompiled so we do not take a long time/memory in initial install. But it would be nice to tell people to use the new feature to run their policy load in a transaction. It would also be nice if we could do semanage commands within this transaction. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJypfQACgkQrlYvE4MpobOYvgCeKNApBdzF79GRlgxylcyacwGp siQAoKdnXhyIa/x1ezXb0bMKCA0ZoOjq =oReg -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
