[DSE-Dev] base module
Russell Coker
russell at coker.com.au
Mon Jan 13 12:24:30 UTC 2014
A recent change to the policy package involve making every policy a separate
module.
When modules depend on each other there is no compile time issue. You can
compile multiple modules independently and create a mass that has lots of
dependencies and I believe there's nothing stopping circular dependencies. So
making everything a module means that all the dependencies of init (of which
there are many) can be separately compiled without issue. But then managing
those dependencies becomes a module load time issue.
Module dependencies makes upgrades difficult in the face of modules being
renamed or made redundant.
I propose that every module which is required for a working system as well as
some modules that are extremely common be included in base.pp.
Then we need to change the policy to remove any dependencies that the modules
in base.pp may have on other modules.
tunable_policy(`init_upstart || init_systemd',`
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
sysadm_shell_domtrans(init_t)
')
For example we had the above in init.te. This can't be made optional_policy
as optional_policy and tunable_policy can't be used together. So in my policy
tree I replaced the second part of the above tunable with the following in
sysadm.te. That means that instead of init.te having a mandatory dependency
on sysadm.te we have sysadm.te depending on init.te.
tunable_policy(`!init_upstart && !init_systemd',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
init_shell_domtrans(sysadm_t)
')
Currently I'm experimenting with making init, logging, authlogin, application,
userdomain, systemd, dmesg, dpkg, usermanage, libraries, fstools, miscfiles,
mount, selinuxutil, and sysnetwork be base modules.
Also I'm going to promose removing some modules from upstream.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the SELinux-devel
mailing list