If you are maintinaing of developing a Fedora Package.

Richi Plana myfedora at richip.dhs.org
Sat Oct 20 15:37:21 UTC 2007


On Sat, 2007-10-20 at 14:59 +0200, Alexander Boström wrote:
> lör 2007-10-20 klockan 11:52 +0300 skrev Panu Matilainen:
> 
> > If each package were fully in control of it's own policies, 
> > storing the labels in packages themselves might make sense. 
> 
> I think it's good to keep in mind that SELinux is, as I see it, separate
> from everything else _by design_. It's a firewall, it's a part of
> multi-layer security. It's supposed to describe not really a policy but
> rather "expected behaviour", in a form that is separate from the actual
> policy and behaviour (the software itself).

And have a separate package for its selinux parts, <package>-selinux
(a'la *-debuginfo). That way, non-SELinux installs don't need to install
them and the selinux bits can call on functions that only exist when
SELinux is installed. And who knows ... if down-the-line fedora decides
to shift to a different security policy, it'll be easier because it was
cleanly separated in the packages.
--
Richi Plana




More information about the fedora-devel-list mailing list