On Mon, 13 Jan 2014 16:19:22 Laurent Bigonville wrote: > > I propose that every module which is required for a working system as > > well as some modules that are extremely common be included in base.pp. > > We have followed the Fedora/Redhat way here. They are also compiling > everything as separate modules. We also changed the way the modules > were loaded, can we still get modules loop with this new way?
Red Hat are making a mistake. > I personally like the fact that everything is a module, this makes it > easier (IMHO) to see immediately which one is enabled on the machine. > I'm not sure if it's possible to achieve this if the modules are compiled in > the base.pp. True. But seeing a list of 400+ modules isn't helpful either. Also the module names aren't that informative, *I* had to read the source of some of those modules to work out what they were doing. > When the modules are compiled in the base.pp, doesn't that mean that > the user cannot disabled the don't audit rules? If you want to disable dontaudit rules you run "semodule -DB", that works for base rules too (at least it did last time I tested, if it doesn't it's a bug). > Well we need to see how upstream will do the integration of systemd in > the refpolicy. Fedora has completely dropped the init_systemd boolean > for example. Sure, that's just an example of how policy needs to change. > > Also I'm going to promose removing some modules from upstream. > > Well I think that compiling all the modules doesn't really hurt. We > have chosen to disable by default the one that are obviously not for > debian, but install them on disk anyway. They can still be useful for > some people. I don't think so. Ones that aren't for Debian can be expected not to work without changes. Shipping broken modules doesn't seem useful. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
