Stephen Smalley sds at
Fri May 13 11:24:17 UTC 2005

On Fri, 2005-05-13 at 12:05 +0200, Aurelien Bompard wrote:
> OK, so there is nothing the upstream maintainers can/have to do.

Not entirely.  They can eliminate the need for text relocations on their
shared objects, thereby avoiding the need to mark their shared objects
with texrel_shlib_t in the policy and reducing the resulting security

> How should third party vendors package their RPMs to make sure they work
> with SELinux, then ? Can we exclude /opt from the audits ?

Ultimately, they will be able to ship a "binary policy module" for their
package that includes an explicit set of dependency requirements on what
the base policy must provide.  Binary policy module support was
developed by Tresys Technology ( and is planned
to be upstreamed in June, for eventual inclusion in FC5/devel.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list