Binary policy modules
Mike Hearn
mike at plan99.net
Thu Oct 13 17:19:23 UTC 2005
On Thu, 13 Oct 2005 11:29:10 -0400, Stephen Smalley wrote:
> Good questions; I don't think that this has been fully resolved. MLS
> compatibility is also an issue; Fedora has enabled MLS/MCS, whereas other
> distros have not yet done so, and the format is affected by that.
Ah, right ... yes this is the sort of thing we have to watch out for. I
want to be able to distribute a single binary that works on any distro -
think commercial software, though it's useful for open source projects too.
> Not the "capability names" i.e. class/permission names, but the
> domain/type names can vary.
Right, OK, that's what I thought. My initial target is super-simple:
restrict installers from loading kernel modules. I know there are lots of
ways around that if this is the only restriction but I want to start
simple and work up from there (next step would be to stop installers
interfering with critical system files etc).
One issue that will affect that is how uniform labelling is under /etc -
hopefully Fedora, Gentoo and any other distros that support SELinux will
move to the reference policy soon. Of course as only Fedora ships it on by
default in a desktop install for now being Fedora specific is acceptable.
> Yes, I agree with that. One potential issue is with installing a large
> number of packages; you'd like to be able to batch up all of the policy
> modules into a single policy update and load, and then unpack all of the
> packages.
Indeed. Autopackage can cope with that fine as it uses a two-phase
install, but as AP isn't designed to run a distribution but rather
distribute 3rd party software Loki Setup style, that's not much use here :)
thanks -mike
More information about the fedora-selinux-list
mailing list