[DSE-Dev] On structure and installation of CIL modules
Victor Porton
porton at narod.ru
Mon May 12 13:27:11 UTC 2014
I propose to split all CIL packages (not necessarily corresponding 1-1 to Debian packages) into two categories:
1. base policies;
2. additional modules.
Installation of a base policy would create /etc/selinux/<POLICY> dir.
Installation of additional modules would not create this dir.
Each additional modules can be activated individually using symlinks in /etc
Sometimes one additional module may be compatible with several base policies.
It is possible to restrict installation of additional modules only when a compatible base policy is installed. However this does not warrant that a module is active only when a compatible base policy is active.
The simplest way to resolve this issue is to put the burden to activate only compatible additional modules on the system administrator.
Any other ideas?
--
Victor Porton - http://portonvictor.org
More information about the SELinux-devel
mailing list