[DSE-Dev] On structure and installation of CIL modules

Victor Porton porton at narod.ru
Mon May 12 13:27:11 UTC 2014


I propose to split all CIL packages (not necessarily corresponding 1-1 to Debian packages) into two categories:

1. base policies;
2. additional modules.

Installation of a base policy would create /etc/selinux/<POLICY> dir.

Installation of additional modules would not create this dir.

Each additional modules can be activated individually using symlinks in /etc

Sometimes one additional module may be compatible with several base policies.

It is possible to restrict installation of additional modules only when a compatible base policy is installed. However this does not warrant that a module is active only when a compatible base policy is active.

The simplest way to resolve this issue is to put the burden to activate only compatible additional modules on the system administrator.

Any other ideas?

--
Victor Porton - http://portonvictor.org



More information about the SELinux-devel mailing list