.te files in packages
Andrew Farris
fedora at andrewfarris.com
Mon Apr 26 07:55:07 UTC 2004
On Wed, 2004-04-21 at 11:00 -0700, Shahms King wrote:
> (I just subscribed, so I'm replying from the list archive...)
>
> Given that FC2 is no longer shipping with SELinux enabled by default, it
> makes sense to have a separate policy package for individual packages,
> IMHO.
While this sounds like a neat idea.. I can see problems with it being
used effectively. What if a user has selinux disabled when they install
a number of packages, and then decide to turn it on--the packages would
have to be retrieved and installed before they could be used. That
could be frustrating, especially for network isolated machines.
Might it be better to include the policy with the main package, to
install the policy files into the policy source, but not to rebuild or
reload the policy unless selinux was running. As I understood..
shipping with selinux off by default would not mean the packages were
not installed at all. If the policy will not be installed at all, and
each 'extra' package installed that contained policy abstained from
installing the policy, then some mechanism would be required to extract
all the policy from 'extra' installed packages at the time selinux was
installed or enabled (in the future). That would be difficult as well,
so including the policy files may not be a perfect solution either.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora at andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
More information about the fedora-selinux-list
mailing list