New design for policy on disk allowing multiple policy rpms to be simultaniously installed.
Andrew Farris
fedora at andrewfarris.com
Wed May 26 05:15:56 UTC 2004
On Tue, 2004-05-25 at 14:47 -0400, Daniel J Walsh wrote:
> 1. We are breaking the policy file out into two separate policy packages
>
> selinux-policy-strict (-source also)
> - Containing pretty much the current policy
> selinux-policy-targeted (-source also)
At this time.. since a 'clean break' is desired and still fairly doable
it would be a good idea to consider more than two policies -- the
changes made now should at least consider the repercussions of sysadmins
adding their own customized policies.. in parallel rather than over the
top of these two.
> 2. Both packages obsolete the current policy rpm.
>
> 3. We want both policy files to be installable and not conflict with
> each other.
>
> 4. Policy files will be installed in the /etc/selinux/(strict|targeted)
> directory.
> Under this tree there will be at least three additional directiories
These separated trees should be a general enough method for additional
policies.
> 5. Tools and libraries (fixfiles, libselinux, init, and setools) will be
> modified to use the /etc/sysconfig/selinux file to determine which
> policy to currently use on the system and where the policy files are
> located.
system-config-security should handle setting this and recognizing the
presence of additional policies as well -- libselinux handles this for
s-c-s?
> 6. If during the install /etc/sysconfig/selinux does not exist or does
> not contain an entry for the type of policy, the first one installed
> will set the context to itself.
On install it may be reasonable to set the context if the current value
was unknown.. but it may be annoying if installing a default policy
while a custom policy was in use. Perhaps a defined 'custom' option
should be considered that these scripts would honor as valid, or the
'custom' name could be mandated to be an existing directory
under /etc/security/selinux (meaning only that it is there rather than
actually checking the contents of the directory in the rpm install
script).
> # Select the type of policy that you are running current values are
> # strict and targeted
# strict, targeted, or custom
> #
> SELINUXTYPE=strict
Perhaps this consideration is something for the next 'clean break'
instead of now, but it looks like a good time to handle is as generally
as possible.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora at andrewfarris.com :: lordmorgul on irc.freenode.net
More information about the fedora-selinux-list
mailing list