If you are maintinaing of developing a Fedora Package.
Richi Plana
myfedora at richip.dhs.org
Sat Oct 20 15:37:21 UTC 2007
On Sat, 2007-10-20 at 14:59 +0200, Alexander Boström wrote:
> lör 2007-10-20 klockan 11:52 +0300 skrev Panu Matilainen:
>
> > If each package were fully in control of it's own policies,
> > storing the labels in packages themselves might make sense.
>
> I think it's good to keep in mind that SELinux is, as I see it, separate
> from everything else _by design_. It's a firewall, it's a part of
> multi-layer security. It's supposed to describe not really a policy but
> rather "expected behaviour", in a form that is separate from the actual
> policy and behaviour (the software itself).
And have a separate package for its selinux parts, <package>-selinux
(a'la *-debuginfo). That way, non-SELinux installs don't need to install
them and the selinux bits can call on functions that only exist when
SELinux is installed. And who knows ... if down-the-line fedora decides
to shift to a different security policy, it'll be easier because it was
cleanly separated in the packages.
--
Richi Plana
More information about the fedora-devel-list
mailing list