Directories for policy module packages
Paul Howarth
paul at city-fan.org
Wed Jul 26 12:07:30 UTC 2006
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
>>>> Now that RPM packages are starting to include policy module packages
>>>> (my mod_fcgid package was approved for Extras recently:
>>>> http://bugzilla.redhat.com/195666), it would be nice to have a
>>>> standard place for the .pp files to be dropped, and for that
>>>> directory to be owned by the selinux-policy package (so that all the
>>>> packages don't need to own it themselves).
>>>>
>>>> I propose the following:
>>>>
>>>> /usr/share/selinux/packages
>>>> (container directory, separate from modules bundled with Core package)
>>>>
>>>> /usr/share/selinux/packages/mls
>>>> (policy modules for use with the mls base policy)
>>>>
>>>> /usr/share/selinux/packages/strict
>>>> (policy modules for use with the strict base policy)
>>>>
>>>> /usr/share/selinux/packages/targeted
>>>> (policy modules for use with the targeted base policy)
>>>>
>>>> /usr/share/selinux/packages/share
>>>> (policy modules that have no base-specific elements, and can be used
>>>> with all base policies)
>>>
> I think this is a good idea.
Good, but you might change your mind...
>>> There already is a standard location:
>>>
>>> /usr/share/selinux/NAME/
>>>
> Currently the selinux-policy-TYPE package looks in this directory and
> installs all the pp files that are in this directory.
> It should probably change to only install the pp files that it is
> packaging. This is a management headache because we
> don't need to manage this now. If someone has a good solution to
> figuring out the pp files during the spec build this would be
> great. Trying to update the modules-TYPE.conf file and maintaining the
> spec file in sync would be a royal pain.
Try the attached patch which groks the module names from the
modules-TYPE.conf file.
It also moves the directory ownership of the /usr/share/selinux/NAME/
directory from the selinux-policy-NAME package to the selinux-policy
package, so that RPMs containing policy module packages for all base
policies will have properly-owned directories to install them into even
on systems that only have one of the base policies installed.
Regarding .pp files that are identical for each of the base policies, I
think it's better not to have a "share" directory for them but instead
to install them into one of the /usr/share/selinux/NAME/ directories and
then link them to the other /usr/share/selinux/NAME/ directories. This
could be done automagically with a bit of boilerplate scripting in the
spec file that looks for identical .pp files and links them together.
The advantage of doing it this way is that it'll still work properly
even if some of the policy macros change and what was once a policy
package that was identical across all base policies suddenly becomes
different for each base policy, i.e. the module packager doesn't need to
make any changes, just rebuild against the new policy.
With the attached patch and the module packaging policy described above,
all .pp files, from both the Core policy packages and others, will go in
/usr/share/selinux/NAME/ and there is no need for the separate
/usr/share/selinux/packages/ hierarchy.
Paul.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-policy.spec.patch
Type: text/x-patch
Size: 2615 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060726/f77e6c36/attachment.bin>
More information about the fedora-selinux-list
mailing list