[DSE-Dev] Again about managing CIL modules in Debian

[Victor Porton]

I have said in this list that we have plenty of time to decide on this issue, because upstream cilcilc is not yet ready for production use. But this does not mean that we should refrain from solving this issue. Why nobody answers?

I remind my proposal:
Split collections of CIL modules into two categories:

1. Base policies. At a moment of time only one of base policies may be active.

2. Additional modules. These can be added to one or several base policies to implement specific universal tasks, such as sandboxing (which should work irrespectively of which base policy is installed).

It is unclear how could we specify which additional modules are compatible with which base policies. The simplest way to resolve this issue is to put the burden to decide which additional modules to enable and which to disable to the system administrator. Or we can invent something more sophisticated, such as an additional field in package description file or whatever.

Please discuss. I hope we will have stable upstream secilc soon and we will need to solve how to manage it in Debian.

--
Victor Porton - http://portonvictor.org