[DSE-Dev] I've created secilc package, please sponsor
Laurent Bigonville
bigon at debian.org
Mon May 12 10:43:41 UTC 2014
Le Mon, 12 May 2014 01:58:21 +0300,
Victor Porton <porton at narod.ru> a écrit :
> 12.05.2014, 01:50, "Laurent Bigonville" <bigon at debian.org>:
> > Le Mon, 12 May 2014 00:22:59 +0300,
> > Victor Porton <porton at narod.ru> a écrit :
> >
> >> I also added (untested) code to automatically reload the policy on
> >> installation/uninstallation. See files cil-install and
> >> cil-uninstall.
> >
> > I would keep this out of the pkg ATM as there is no cil policy in
> > debian for now.
>
> What is ATM?
ATM == At The Moment
>
> I think the behavior of my package can be taken as the CIL policy in
> Debian.
>
> One thing my CIL installation architecture requires is that no two
> installed CIL modules have the same file name. I think this is OK for
> Debian packaging.
[...]
> >> 2. cil-install script was not tested as I have not found any CIL
> >> testcase to use for this testing.
> >
> > I'm really wondering if we should ship these files at all for the
> > moment (and especially in /etc).
> >
> > I would prefer just pkg the compiler itself for now.
>
> Why not?
>
> I think there is no better way to install CIL files than the one way
> I've implemented.
>
> Essentially, it supports both CIL as conffiles and automatic removal
> (or the symlink) on uninstallation.
>
> Well, we can also add a configuration file setting a parameter there
> would cancel removal of the symlinks when a CIL aware package
> uninstalls. But I doubt whether it is really useful.
I don't think (I might be wrong here) it's the role of a package
containing a compiler to create that kind of directory structure
in /etc/selinux, especially that we don't know yet if there will be a
reference cil policy that will also be released and packaged in debian.
More over you are hardcoding the directory name to /etc/selinux/cil, I
think this is limiting the flexibility if the user wants to have
several policy installed in parallel.
This should be in my opinion the responsibility of the package shipping
the policy (like the refpolicy package is doing now).
Mika a comment on this?
>
> >> 3. debian/watch does not work. Patches are appreciate.
> >>
> >> My package is Version 0.0.0+git20140511-1 (not Version 0.0.1-1) at
> >> https://mentors.debian.net/package/secilc
> >>
> >> Please sponsor my package to go into unstable.
> >
> > I can fix these issues in the following days. Is it still ok of we
> > are putting the pkg in a team maintained repositories?
>
> I don't understand your question.
s/of/if
I was wondering if you were still OK to put the package under the Debian
SELinux team maintenance and in the team git repository.
>
> P.S. My purpose is to create sandbox which can run untrusted programs
> downloaded from the Web. In turn this is to be used in this my
> project (not directly related with SELinux):
> http://freesoft.portonvictor.org/namespaces.xml
More information about the SELinux-devel
mailing list