Making Fedora a contributer friendly environment
kmacmill at redhat.com
Thu May 10 13:27:50 UTC 2007
On Wed, 2007-05-09 at 18:11 +0100, Paul Howarth wrote:
> Jonathan Underwood wrote:
> > On 09/05/07, Till Maas <opensource at till.name> wrote:
> > [snip]
> >> There are some drafts in:
> >> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
> > [snip]
> > I have been following this discussion a bit, and have read those draft
> > packaging guidelines, and find myself as a packager rather confused.
> > That draft details how to add support for SElinux to your package.
> > But, what isn't clear to me is what the policy is for SElinux support
> > more globally. Recently I've filed a few bugs against packages that
> > have had problems with SElinux contexts and in each case the packager
> > has re-assigned the bugs to the SElinux team, who have fixed the issue
> > in an updated SElinux policy package.
> > This would imply that the policy package is where things should be
> > fixed, SElinux wise. But now that draft leaves me wondering if that is
> > incorrect.
> > Sooo.. where should SElinux contexts be set, in each package, or in
> > the SElinux policy package?
> > [Sorry if this is a dumb question]
> There isn't a single correct answer for that one.
> If the program's behaviour is causing SELinux issues (unnecessary
> relocations, leaked file descriptors etc.) then the program should be fixed.
> If file contexts need setting, the best place to do it is in the main
> policy package. This is common with web applications for instance.
Right - so for very simple changes (like setting a file context as
unconfined_execmem_t) filing a bug against the policy package with the
binary path is likely enough.
> There are also more complex cases such as daemons for which no policy
> currently exists. This may require the writing of policy for the daemon,
> including the introduction of new file context types. This is probably
> best done by writing and packaging a policy module (see also
> and, when the resulting policy appears stable, to get that policy merged
> into the upstream reference policy.
Just to be clear - it is desirable to have specific policy for
applications (particularly network facing daemons) but it is not
required. Almost all applications should just work with SELinux with the
targeted policy. If you are having problems just drop a not to the
fedora-selinux list or file a bug against policy.
More information about the fedora-devel-list