Making Fedora a contributer friendly environment
Paul Howarth
paul at city-fan.org
Wed May 9 17:11:32 UTC 2007
Jonathan Underwood wrote:
> On 09/05/07, Till Maas <opensource at till.name> wrote:
> [snip]
>> There are some drafts in:
>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
> [snip]
>
> I have been following this discussion a bit, and have read those draft
> packaging guidelines, and find myself as a packager rather confused.
>
> That draft details how to add support for SElinux to your package.
> But, what isn't clear to me is what the policy is for SElinux support
> more globally. Recently I've filed a few bugs against packages that
> have had problems with SElinux contexts and in each case the packager
> has re-assigned the bugs to the SElinux team, who have fixed the issue
> in an updated SElinux policy package.
>
> This would imply that the policy package is where things should be
> fixed, SElinux wise. But now that draft leaves me wondering if that is
> incorrect.
>
> Sooo.. where should SElinux contexts be set, in each package, or in
> the SElinux policy package?
>
> [Sorry if this is a dumb question]
There isn't a single correct answer for that one.
If the program's behaviour is causing SELinux issues (unnecessary
relocations, leaked file descriptors etc.) then the program should be fixed.
If file contexts need setting, the best place to do it is in the main
policy package. This is common with web applications for instance.
There are also more complex cases such as daemons for which no policy
currently exists. This may require the writing of policy for the daemon,
including the introduction of new file context types. This is probably
best done by writing and packaging a policy module (see also
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules)
and, when the resulting policy appears stable, to get that policy merged
into the upstream reference policy.
Paul.
More information about the fedora-devel-list
mailing list