If you are maintinaing of developing a Fedora Package.

[Alexander Boström]

lör 2007-10-20 klockan 11:52 +0300 skrev Panu Matilainen:

> If each package were fully in control of it's own policies, 
> storing the labels in packages themselves might make sense. 

I think it's good to keep in mind that SELinux is, as I see it, separate
from everything else _by design_. It's a firewall, it's a part of
multi-layer security. It's supposed to describe not really a policy but
rather "expected behaviour", in a form that is separate from the actual
policy and behaviour (the software itself).

That way, if the behaviour of the software is not what we expected it to
be (a security problem), maybe the description of the behaviour (the
SELinux policy) is what was expected, and thus this layer of security
catches the problem.

Thus, it's not strange that it's perhaps a bit difficult to integrate
SELinux with the rest of the system.

I maintain a package that I'd like to submit to Fedora. But before I do
that I need to figure out how to make it play nicely with SELinux. (It's
the Heimdal Kerberos implementation. It has a telnetd that is launched
from xinetd, so it needs to break out of the context xinetd is running
as before exec:ing the user's shell.) It works if you setsebool the
right config key, but I don't really know how to solve it the proper
way.

Would putting the policy in the package actually help make my problem
easier? Since I don't understand the problem fully and don't know how to
fix it, I would still need to talk to the people who know SELinux well.
That means it's not really a problem to let them update the central
policy files instead of me doing whatever needs to be done in the
package.

/abo