[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC2 and FC1 and common home



On Tue, 2004-04-06 at 20:02 -0400, Colin Walters wrote:
> On Tue, 2004-04-06 at 19:46, Jeremy Katz wrote:
> > I actually pretty strongly disagree here.  I think that we need to move
> > to where policy for various daemons is included and maintained along
> > with the daemon.
> 
> The reason policy is centralized is because it allows one to easily
> analyze the entire thing at once, and also makes it easier to make
> sweeping changes by modifying just a few files.

This could be argued for a lot of other things too.  It's completely
unscalable, though.  I'll reference specspo again.  Also, it means that
whenever something new is added, either
a) the person adding the package has to analyze it and then add to the
policy package (which they don't own) and make the changes
or
b) the owner of the policy package has to update every time this
happens.  and be told about it.  this doesn't happen (cf problems with
packages never ending up in comps)

> >   Otherwise, we have a never-ending battle of one huge
> > monolithic package that will end up with bizarre dependencies on apps.
> 
> I'm not sure I understand - how does policy depend on applications?

Right now we have policy dependent on a new enough kernel.  I'm willing
to bet that we'll get an application behavior change at some point
that's going to end up making the policy require a specific version of
some program.  It's even worse if they're not specified (and to some
extent, this is currently the case -- we know that the policy will break
if you don't have new enough versions of some packages that have
required SELinux specific changes)

> > There's a reason we don't, eg, put all of the German translations for
> > everything we ship in, eg, a translations-german package.  It just
> > doesn't scale maintenance wise.  
> 
> Translations are different from SELinux security policy in that they're
> mostly independent of one another.

I don't think that they're really any more independent than the policy
_should_ be.  The policy for sendmail should have no relation to the
policy for httpd.  The two are orthogonal to each other.  Sure, there's
going to be some base set that everything depends on, but that's true in
other cases too (see core eight or so packages that everything in the
distribution depends on)

Jeremy



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]