From: "David Härdeman" <david@hardeman.nu>
To: selinux@tycho.nsa.gov
Cc: dwalsh@redhat.com
Subject: Fedora refpolicy patches
Date: Wed, 16 Jul 2008 18:56:34 +0200 [thread overview]
Message-ID: <20080716165634.GA8072@hardeman.nu> (raw)
While working on SELinux-enabling a Debian system, I often Google for
avc messages that show up in dmesg and 90% of the time it seems that the
problem has already been solved in Fedora's version of the refpolicy but
not in the upstream version.
Googling a bit more lead me to these emails:
http://marc.info/?l=selinux&m=121155835630301&w=2
http://marc.info/?l=selinux&m=121622105928866&w=2
The latest Fedora patch:
http://cvs.fedoraproject.org/viewcvs/devel/selinux-policy/policy-20080710.patch?rev=1.2&view=auto
Is 36918 lines totalling over 1.1 Mb.
The latest Debian patch:
http://ftp.de.debian.org/debian/pool/main/r/refpolicy/refpolicy_0.0.20080702-1.diff.gz
Is 8759 lines totalling 258Kb (but that includes the build scripts).
I wrote a quick python script that splits the Fedora patch into
per-module patches (much like the ones Daniel J Walsh posted, only that
I get 214 patches) and I'm prepared to start going over these patches
seeing which ones are relevant and which ones would need some changes to
work in Debian as well (for instance, lots of *.fc files would need to
have lines like /etc/rc.d/init.d/something changed to
/etc/(rc.d/)?init.d/something to work in both RH and Debian).
The question is how to treat the patches after that? Should I post them
as I go through them (a couple per day for a couple of weeks?) and hope
that someone at Tresys will apply them?
Also, Daniel, do you think it would be possible to change the Redhat
build scripts to take a directory of patches instead of the huge patch
it uses right now? It would make it much much easier to track the
differences if the changes to each module was tracked in one patch in
the CVS repo. It would also make it clearer what each change does (not
at all clear sometimes with the current huge patch...comments and/or
links to bugzilla entries would have been great) as each change to each
patch will at least have the commit message to go along with it.
And in the end...does it really help? Someone at Tresys will have to
review every patch anyway...so should I start looking at patches?
--
David Härdeman
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-07-16 16:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-16 16:56 David Härdeman [this message]
2008-07-16 17:13 ` Fedora refpolicy patches Daniel J Walsh
2008-07-16 17:44 ` David Härdeman
2008-07-16 18:19 ` Christopher J. PeBenito
2008-07-16 18:59 ` Daniel J Walsh
2008-07-16 19:29 ` David Härdeman
2008-07-16 19:40 ` Daniel J Walsh
2008-07-16 20:09 ` Brett Lentz
2008-07-18 12:32 ` Christopher J. PeBenito
2008-07-18 16:52 ` Brett Lentz
2008-07-16 20:18 ` David Härdeman
2008-07-16 22:35 ` Eric Paris
2008-07-16 20:19 ` Mike Edenfield
2008-07-17 18:00 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080716165634.GA8072@hardeman.nu \
--to=david@hardeman.nu \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.