Is there a SELinux tutorial for ISVs ?

[Chad Hanson]

> 
> This string of messages brings up something I wanted to get a 
> conversation going on how to handle non OS Provided policy.
> 
> We all know we need a better mechanism for handling "binary" 
> policy in 
> the future.  ( I think the future is now.)
> I see three people providing policy.
> 

I agree, as an ISV we need a way to add custom policy to support our
applications. We currently use a processed version to the policy to have
source modules until the binary modules are part of Fedora.

> 1. OS Provider with base policy.  (It would also be nice if the base 
> policy got broken into several policies and only the policy
> of the running service would be loaded.  If we got to this state we 
> would need a new mechanism for restoring file context since
> file_context might not meet the currently loaded policy. 
> 
> 2. Third Party application developers.  As the use of targeted policy 
> has begun to take off, Third Party ISV have started to question
> how they can play in this world.
> 

Exactly, see statement above.

> I see Tresys Stuff solving the problems of both of the above.
> 
> 3 Local User customization and minor policies.  Currently we 
> have people 

Along with local user policy, there needs to be local network policy
customizations as well. This is required from an MLS perspective and I would
think be useful for TE network restrictions as well.