[DSE-Dev] Proper way to distribute a new policy
Russell Coker
russell at coker.com.au
Mon Jan 20 14:20:44 GMT 2025
On Sunday, 19 January 2025 00:49:46 AEDT Antonio Russo wrote:
> I'm working on packaging the FindMyDevice server [1]. I eventually want to
That sounds great, is there an agent you can package for Mobian?
> get it included in Debian proper, so I would like to make sure its
> packaging is clean. But I am also currently using it, so it also needs to
> be functional.
> My question is about adding SELinux policies. Starting from sepolicy
> generate,
> I have a selinux policy module that (tentatively) works in
> enforcing mode.
> **How should I distribute this policy module?**
>
> For instance, is there a debhelper script that just magically takes the
> module
> and handles it for me? Something equivalent to dh-apparmor, but
There is nothing like that and I don't have much interest in creating it. If
we have policy packaged outside of the main package then there's less ability
to track it and make sure it works in the right way.
https://github.com/SELinuxProject/refpolicy/releases
You could create a PR on Github to get it in upstream or you could send it to
me and I could review it and include it in the Debian policy as a first step.
I'm not going to stop people from creating a tool to do what you want, but I
don't have any interest in working on it myself.
> for selinux? The project is niche, so I kind of doubt that upstream would
> accept it.
We still have policy for the monopoly game server, telnetd, and other things
that aren't particularly useful nowadays.
Device tracking is only going to get more popular.
> But even if they did, I'd like to be able to iterate faster
> (i.e., suppose upstream changes, and the policy needs to be adjusted
> quickly). This might not apply so much for findmydevice, but might for
> other things I'm working on.
Policy doesn't need to get changed much after the first couple of releases.
Once the basic functionality of the daemon is sorted out further changes tend
to be how to use the resources that are already being used not adding new
resources.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the SELinux-devel
mailing list