[DSE-Dev] How to package policy?

Thomas Bleher bleher at informatik.uni-muenchen.de
Sun Mar 12 15:32:18 UTC 2006


Hi Erich!

* Erich Schubert <erich at debian.org> [2006-03-12 01:27]:
> Hi Thomas,
> > #1: Select policy modules with debconf.
> 
> I fear we might be hitting debconf limitations quite early when trying
> to make a nice UI.

I thought debconf allowed for multiple checkboxes like:
 [ ] policy for the apache webserver
 [x] policy for inetd
 [x] policy for the cups daemon
... and so on.
I think this would meet most of our needs. But maybe I should just
implement it to see if it will work.

> > #3: Ship binary policy modules or only policy sources?
> 
> Definitely ship precompiled modules, and policy source.
> I'd like to have a source package that allows me to easily build
> additional modules.
Yeah, me too. Preferably even build a Debian package out of the modified
sources so I can easily copy this policy to other machines.

> Note that due to certain current design/policy limitations, you'll often
> need to modify existing policy modules when adding new stuff. IMHO this
> is bad, but that is the current way with the interfaces.
> (e.g. if cron can seach your data files, you currently have to define a
> interface and make cron call it)

Yeah, I hope this will get better in the future. It's also worth
pointing out that the interfaces are just a (good) convention, they are
not enforced, so if you write local policy for yourself and you don't
want to upstream it you can use types as you wish, without any
interfaces.

> Oh, and forget about having the policy sources debian conffiles.
> You'll hit an APT limitation, namely a 64k limit for the package
> information, which lists all the conffiles with full path and maybe
> md5sum.

Isn't this just a fixable bug in APT? Fixing it won't help us for Sarge
of course, but at least we could then provide such packages for Etch
(and maybe Dapper).
[Update: This is already reported:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350025 ; Hopefully it
will get fixed soon]

> > We could also ship policy sources and binary policy modules as separate
> > packages, but I'm not clear how users would switch between them. Should
> > these packages conflict with each other?
> 
> In our current setup they can be installed alongside with each other,
> and I think that works okay.

Hmm, I haven't really looked at this yet. If both are installed, how do
we decide if we should reload policy on an upgrade? Should this be
another debconf question?

Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20060312/12d7eb19/attachment.pgp


More information about the SELinux-devel mailing list