[ANN] SELinux Policy Editor 2.0(seedit 2.0)
Stephen Smalley
sds at tycho.nsa.gov
Tue Jul 11 11:48:13 UTC 2006
On Tue, 2006-07-11 at 00:32 -0400, Yuichi Nakamura wrote:
> On Mon, 10 Jul 2006 17:03:29 -0400
> Stephen Smalley wrote:
> > What are your plans for modular policy support? In the absence of it,
> > using your tool/policy on FC5 will disable the ability to use policy
> > modules and semanage on FC5, which would be a regression for users and
> > may break some packages that are beginning to leverage the semodule and
> > semanage functionality.
> I have two plans.
>
> 1) Full Simplified Policy, no modular policy
> This is current version.
> Whole policy is replaced by simplified policy, generated policy is
> monolithic.
> What I want do is AppArmor-like configuration(security enhanced AppArmor??).
> I think I do not need modular policy for that use.
> semanage, semodule commands,APIs are not used in current version.
You might not be using semanage and semodule from your own tools, but
users are using them already in FC5 and packages are beginning to use
them as well from scriptlets in order to install per-package policy or
apply other package-specific customizations. Hence, switching to using
seedit will break such usage.
It shouldn't be difficult for you to just build your simplified policy
as a base policy module using checkmodule and install it via semodule,
in the same manner as the stock FC5 selinux-policy package. Then users
and packages can continue using semodule and semanage.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list