[DSE-Dev] refpolicy REMOVED from testing

Laurent Bigonville bigon at debian.org
Thu Dec 12 14:13:23 UTC 2013

Le Thu, 12 Dec 2013 21:48:41 +1100,
Russell Coker <russell at coker.com.au> a écrit :

> I think that up/downgrading to a different policy when the version
> only differs in the Debian part should unconditionally run
> selinux-policy-upgrade.  When the upstream version is different then
> it should just prompt the user as it currently does.

Mika has rewritten the post-install script completely to load all the
modules by default (except the modules that are irrelevant to Debian
like anaconda or portage). That means that we are not looking at the
installed packages anymore, this was not really scalable and the fact
that it was not installing new modules when new .deb were installed
could be confusing for the user. We are however not re-enabling modules
that the user has explicitly disabled using semodule -d.

We are also upgrading the complete policy all the time now, which makes
selinux-policy-upgrade a bit useless. We could maybe add a debconf
question to allow the user to disabled this.

> As an aside when the selinux-policy-upgrade script was written it
> took several minutes to run on reasonably good hardware so run time
> was a factor in the decision to not make it run by default.

This as been more or less fixed by setting "expand-check=0"
in /etc/selinux/semanage.conf. semodule -B takes something like 10s to
run here on my laptop.

> Also while on the topic we need to get it to do a fcontext diff and
> run restorecon as they do in Fedora.

Indeed we should maybe also look at this and force a relabel if needed.


Laurent Bigonville

More information about the SELinux-devel mailing list