package review?

[Paul Howarth]

On Fri, 2006-07-21 at 14:14 -0700, Michael Thomas wrote:
> > You should check that the transition has happened by running ps with the
> > "-Z" option to show the process context when you're running the
> > application.
> 
> It shows up as crossfire_exec_t because...

crossfire_exec_t? Not crossfire_t?

> > Note that most things running confined under targeted policy are started
> > from initscripts and there is no transition from unconfined_t needed (or
> > wanted). That's not the case here though.
> 
> ...it is started from an init script.  Normal (unconfined) users should
> not be starting this by hand.  Instead, normal users will run the client
> application which connects to this server.  In this case, it sounds like
> I don't need the rule to transition from unconfined_t.

Right; I must have missed the initscript in the files list.

So yes, you are correct that you don't need (or even want) the transition from unconfined_t.

> >>Some things that would be nice to clarify:
> >>
> >>Should selinux be added as a subpackage or automatically included in the
> >>base package?
> > 
> > 
> > I don't have a strong opinion either way on this. I've tended to stick
> > to keeping everything together because I find it easier to manage that
> > way. As long as the SELinux bits don't get in the way of people not
> > using them, I don't think it's a problem.
> 
> I think I would prefer to use a separate package (not integrated with
> the base package), so that the policy can be turned on and off by simply
> installing/uninstalling the -selinux package.

Bear in mind that there should be a crossfire_disable_trans boolean that
would turn off the policy (or rather the transition to crossfire_t) when
set, without having to uninstall the policy.

Paul.