[DSE-Dev] How to package policy?

Erich Schubert erich at debian.org
Sun Mar 12 00:26:30 UTC 2006


Hi Thomas,
> #1: Select policy modules with debconf.

I fear we might be hitting debconf limitations quite early when trying
to make a nice UI. I was thinking along the lines of providing the user
a three-way choice basically: "autoinstall", "don't install" and
"install". With a four-way display, why makes a difference between "auto
installed" and "auto not installed".
We could have all policy modules on "autoinstall" by default, and have
the user manually add extra modules or remove modules from the list.
Similar to aptitude basically.
The packages set to autoinstall would then be selected by matching them
with installed packages (like my script tries to do) and dependency
handling.
Unresolved dependencies should of course reported to the user, so we'll
probably need some "error" state, too.

> #2: Change booleans via debconf.

Sounds good to me.

> #3: Ship binary policy modules or only policy sources?

Definitely ship precompiled modules, and policy source.
I'd like to have a source package that allows me to easily build
additional modules.
Note that due to certain current design/policy limitations, you'll often
need to modify existing policy modules when adding new stuff. IMHO this
is bad, but that is the current way with the interfaces.
(e.g. if cron can seach your data files, you currently have to define a
interface and make cron call it)

Oh, and forget about having the policy sources debian conffiles.
You'll hit an APT limitation, namely a 64k limit for the package
information, which lists all the conffiles with full path and maybe
md5sum.

> We could also ship policy sources and binary policy modules as separate
> packages, but I'm not clear how users would switch between them. Should
> these packages conflict with each other?

In our current setup they can be installed alongside with each other,
and I think that works okay.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
    Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.    V_/_




More information about the SELinux-devel mailing list