[DSE-Dev] base module

[Russell Coker]

On Mon, 13 Jan 2014 16:19:22 Laurent Bigonville wrote:
> > I propose that every module which is required for a working system as
> > well as some modules that are extremely common be included in base.pp.
> 
> We have followed the Fedora/Redhat way here. They are also compiling
> everything as separate modules. We also changed the way the modules
> were loaded, can we still get modules loop with this new way?

Red Hat are making a mistake.

> I personally like the fact that everything is a module, this makes it
> easier (IMHO) to see immediately which one is enabled on the machine.
> I'm not sure if it's possible to achieve this if the modules are compiled in
> the base.pp.

True.  But seeing a list of 400+ modules isn't helpful either.  Also the 
module names aren't that informative, *I* had to read the source of some of 
those modules to work out what they were doing.
 
> When the modules are compiled in the base.pp, doesn't that mean that
> the user cannot disabled the don't audit rules?

If you want to disable dontaudit rules you run "semodule -DB", that works for 
base rules too (at least it did last time I tested, if it doesn't it's a bug).

> Well we need to see how upstream will do the integration of systemd in
> the refpolicy. Fedora has completely dropped the init_systemd boolean
> for example.

Sure, that's just an example of how policy needs to change.

> > Also I'm going to promose removing some modules from upstream.
> 
> Well I think that compiling all the modules doesn't really hurt. We
> have chosen to disable by default the one that are obviously not for
> debian, but install them on disk anyway. They can still be useful for
> some people.

I don't think so.  Ones that aren't for Debian can be expected not to work 
without changes.  Shipping broken modules doesn't seem useful.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/