From: Dominick Grift <dominick.grift@gmail.com>
To: selinux <selinux@tycho.nsa.gov>
Subject: RFC policycoreutils packaging
Date: Sat, 14 Sep 2013 15:54:20 +0200 [thread overview]
Message-ID: <1379166860.4313.21.camel@d30> (raw)
We were discussing policycoreutils packaging and there are some things
unclear to me:
1. if one wants to run a monotlitic policy on a embedded system, then,
besides fixfiles and checkpolicy, which tools from policycoreutils are
needed?
1.a How are home dir contexts generated with monolithic policy ( or
should they be created manually ? ), i ask this because in Fedora the
genhomedircon is just a script that calls semodule, but i think semodule
does not work with monolithic policy. If true, how then is someone
expected to generate home dir contexts?
2. Does the sandbox utility only work ( or only work properly ) in
policy configurations that have the MCS security model enabled? If so
should one then depend on a policy model that has MCS enabled?
Fedora splits policycoreutils into the following components/packages:
policycoreutils
policycoreutils-devel
policycoreutils-gui
policycoreutils-newrole
policycoreutils-python
policycoreutils-restorecond
policycoreutils-sandbox
However i am considering whether it makes sense to additionally split
policycoreutils into policycoreutils, and policycoreutils-semodule.
Because well monlithic configurations do not need semodule.
The problem here is that genhomedircon is basically a shell script that
runs semodule, thus i suspect that the genhomedircon script then needs
to also go into the policycoreutils-semodule package.
Then i get back to my first question, if semodule generates
homedircontexts, and cannot be used with monolithic policy, and if
genhomedircon is just a shell script that runs semodule, then how does
one take care of home dir contexts in a monolithic configuration?
Any hints, tips advice and comments are greatly appreciated.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2013-09-14 13:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-14 13:54 Dominick Grift [this message]
2013-09-16 12:07 ` RFC policycoreutils packaging Stephen Smalley
2013-09-16 12:32 ` Dominick Grift
2013-09-16 14:32 ` Daniel J Walsh
2013-09-16 14:54 ` Dominick Grift
2013-09-16 15:12 ` Daniel J Walsh
2013-09-16 15:27 ` Dominick Grift
2013-09-16 15:38 ` Dominick Grift
2013-09-16 16:21 ` Daniel J Walsh
2013-09-16 15:28 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1379166860.4313.21.camel@d30 \
--to=dominick.grift@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.