On Tue, Feb 05, 2008 at 02:54:47AM +0100, Erich Schubert wrote: > Hi Mark, > > fixed in the Leafnode package. Now you're telling me that this should, > > as I had originally understood, be fixed in the SELinux packages.
> It requires knowledge of leafnode to be fixed. Ideally, it would be > fixed within the leafnode package, albeit it's more realistically and > practicably to do it in the refpolicy package (at least when you submit > the module upstream and they include it - we don't really want to have > two different versions of the policy module unless there is a good > reason to do so!) I've had a look around and as far as I can tell there are currently no packages other than the core SELinux policy packages which ship SELinux policy. This would mean that were I to add SELinux policy to Leafnode I would have to define the standard for how packages do this. I really don't feel that this is either reasonable or a particularly good idea from a security point of view - I am in no way an expert on SELinux and obviously the risks involved in making errors in SELinux configuration are substantial. > > This is obviously true - the point is that there is no visible support > > for including new SELinux policy information in packages. > Incorrect. Just ship a .pp (= policy package, aka policy module) file. > The -dev package I mentioned is what you need for building the .pp file. I see that I can build things but that doesn't deal with the key issues for packaging, such as what exactly one is supposed to do with a policy module once one has built it. The instructions in the -dev package appear to focus on installing the policy directly on the system used instead of how one would go about shipping it in a package. I would expect to see something more like the Python policy which would allow the package to tell the system that it has installed a new policy module and arrange for something appropriate to happen depending on the configuration of the system. I'd expect the interface to this to allow a dh_selinux (or whatever) tool that could put the appropriate stuff in the package scripts. > See, you probably want to make an 'unofficial' policy package for > leafnode, then try to get it 'official'. As far as the Leafnode package goes I am only interested in doing things that are a part of a coherent Debian system. Contributing to SELinux upstream is a separate issue. > > Either you want me to implement SELinux support in the Leafnode package > > or you want this to be done in the SELinux packages. Which is the case? > *I* do not care. Heck, I don't even care if leafnode ever gets a policy > module, since I don't use it. Nor do I currently use SELinux, but that's > another story. The -dev package exists to allow you building a policy > module for leafnode. Right, and I don't use SELinux and am ambivelent about the technology. > Someone wrote a policy module for exim and submitted it > upstream, now it's included there. Sounds like a working approach to me. Indeed, providing support in SELinux upstream is the only viable option I've seen suggested here. > Go ahead and clone the bug to the refpolicy package, but at least use > the correct package, please. But don't expect that to help getting the > bug resolved; the usertag already added is more appropriate for tracking > SELinux related issues. I'm just not seeing any bug in the Leafnode package here. As discussed above there doesn't appear to be anything that looks like organised support for individual packages adding their own SELinux policies. It certainly appears that centrally maintained policies is the SELinux idiom. Your replies here are the first time I have seen any suggestion that the Debian SELinux packaging had reached the point where it is ready to push policy out into packages but you're still sending mixed messages here. -- "You grabbed my hand and we fell into it, like a daydream - or a fever." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
