[DSE-Dev] How to package policy?

Thomas Bleher bleher at informatik.uni-muenchen.de
Sat Mar 11 23:04:57 UTC 2006 

[Hi Manoj, I didn't know if you were on the list so I added you in the CC]

I had some nice discussions with Manoj Srivastava at the SELinux
Symposium about how to best package policy. I didn't have time yet to
implement any of this but I wanted to discuss it here so we get some
consensus. Maybe someone even wants to write the code to do this? ;-)

#1: Select policy modules with debconf.
I think the correct way to select which policy modules to load is to ask
the user via debconf. We could of course try to preseed the questions by
looking at the installed packages (like the code Erich already put into
the policy package).
I'm not really sure how we should handle dependencies between policy
modules. Maybe we could record them in the debconf script and inform the
user, after he has made his choice, which additional modules will be
installed.

#2: Change booleans via debconf.
Dan Walsh proposed a "harden-selinux"-script which would go through all
relevant booleans and ask the user questions like "Do you want to allow
apache to connect to external databases?". Manoj and I agreed that this
would be a very nice thing to have and that it would best be implemented
as additional debconf questions.

#3: Ship binary policy modules or only policy sources?
This one I'm not sure about. I think we want to allow people to locally
modify policy but still use the Debian packages. If people just want to
add policy thats's no problem anymore as they can just build a new
policy module. But we should also support users modifying modules or
removing permissions, IMHO.
We could do this by shipping just policy sources, and recompiling and
reloading policy in the postinst. We would mark every policy source file
as a conffile so changes would be handled by dpkg automatically.
I like this solution very much, but it would require every SELinux
system to have make, python, gawk and probably other programs installed,
so I don't know if this is OK.
We could also ship policy sources and binary policy modules as separate
packages, but I'm not clear how users would switch between them. Should
these packages conflict with each other?

Any comment would be greatly appreciated,
Thomas

-- 
American Non Sequitur Society: we don't make sense, but we do like pizza.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20060312/67352cd5/attachment.pgp

More information about the SELinux-devel mailing list