[DSE-Dev] base module
Laurent Bigonville
bigon at debian.org
Mon Jan 13 19:00:44 UTC 2014
Le Tue, 14 Jan 2014 03:08:47 +1100,
Russell Coker <russell at coker.com.au> a écrit :
> On Mon, 13 Jan 2014 16:19:22 Laurent Bigonville wrote:
> [...]
>
> True. But seeing a list of 400+ modules isn't helpful either. Also
> the module names aren't that informative, *I* had to read the source
> of some of those modules to work out what they were doing.
Well having them compiled in the base.pp is even less transparent IMHO.
> > When the modules are compiled in the base.pp, doesn't that mean that
> > the user cannot disabled the don't audit rules?
>
> If you want to disable dontaudit rules you run "semodule -DB", that
> works for base rules too (at least it did last time I tested, if it
> doesn't it's a bug).
I might be wrong here.
>[...]
> > > Also I'm going to promose removing some modules from upstream.
> >
> > Well I think that compiling all the modules doesn't really hurt. We
> > have chosen to disable by default the one that are obviously not for
> > debian, but install them on disk anyway. They can still be useful
> > for some people.
>
> I don't think so. Ones that aren't for Debian can be expected not to
> work without changes. Shipping broken modules doesn't seem useful.
>
The one that aren't obviously for debian(anaconda,...) could indeed be
dropped. But there are some other that are a bit more on the edge that
should maybe stay. If you are not shipping them, we'll never receive any
bug reports for them. Some kind of chicken-egg problem I guess.
More information about the SELinux-devel
mailing list