All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jason Zaman <jason@perfinion.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Chris PeBenito <pebenito@ieee.org>, SELinux <selinux@tycho.nsa.gov>
Subject: Re: [RFC] Split up policycoreutils
Date: Tue, 25 Oct 2016 11:49:00 +0800	[thread overview]
Message-ID: <20161025034900.GA14100@meriadoc.perfinion.com> (raw)
In-Reply-To: <db994f8e-27d9-7554-56f5-beb217274d1b@tycho.nsa.gov>

On Mon, Oct 24, 2016 at 09:13:42AM -0400, Stephen Smalley wrote:
> On 10/22/2016 09:44 AM, Chris PeBenito wrote:
> > On 10/21/16 13:47, Stephen Smalley wrote:
> >> policycoreutils started life as a small set of utilities that were
> >> necessary or at least widely used in production on a SELinux system.
> >> Over time though it has grown to include many optional components, and
> >> even within a given subdirectory (e.g. sepolicy) there seem to be a
> >> number of components that should be optional (e.g. the dbus service).
> >> I'd like to propose that we move a number of components out of
> >> policycoreutils into their own top-level subdirectory (possibly grouping
> >> some of the related ones together).

I'm also in favour of splitting. As Sven said, we conditionally compile
things with USE-flags in gentoo instead of separate packages but that
can easily change. Live would probably be easier since then there would
be no patching to make it conditional.
We dont even package sandbox and quite a few other things at all. We do
also have a policycoreutils-extra (has rlpkg and a few other things)
which I have been meaning to upstream but havent gotten around to it
yet. If things are getting split those could be added to whatever
policyextrautils package we end up with.


> > I'm not sure where the main part of sepolicy should go, but it would be
> > nice to split it out since it depends on setools which has heavier
> > dependencies than a core system package should typically have IMO
> > (NetworkX, which pulls in scipy, numpy, matplotlib, etc.)
> 
> I would be in favor of that too, but hesitated to do so because it would
> require moving audit2allow and semanage out of policycoreutils as well.
> Fedora does package those as part of policycoreutils-python (along with
> sepolgen).  Arguably audit2allow isn't necessary for production (but
> many users of SELinux in Linux distributions rely on it), but semanage
> is more fundamental these days.
> 
> However, if people are open to moving sepolicy, audit2allow, and
> semanage, possibly combining them with sepolgen in a new
> subdirectory/package, then we could explore that.

My eventual goal for seobject.py was to just kill it, there isnt really
anything that setools4 doesnt have. For the last release mostly due to
lack of time I changed several parts to just be sort of thin wrappers
around setools.

sepolicy also seemed like two separate things. one part was a kind of
library thing which i updated to use setools4 too, that would be better
off dying or being a separate small lib. then there is the whole gui
part of sepolicy which can probably be split out. I dont think i've ever
personally used the gui. semanage only requires the lib parts.

I havent looked too much into the core of setools4 other than what I
needed to update sepolicy so I'm not sure how important networkX and
stuff are. semanage might only require the base stuff if we're able to
split that out?

-- Jason

  parent reply	other threads:[~2016-10-25  3:49 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-21 17:47 [RFC] Split up policycoreutils Stephen Smalley
2016-10-21 18:11 ` Daniel J Walsh
2016-10-21 21:06   ` Paul Moore
2016-10-22 13:44 ` Chris PeBenito
2016-10-24 13:13   ` Stephen Smalley
2016-10-24 13:16     ` Dominick Grift
2016-10-24 13:21     ` Stephen Smalley
2016-10-24 21:15       ` Daniel J Walsh
2016-10-25  5:47         ` Dominick Grift
2016-10-31  9:27       ` Sven Vermeulen
2016-10-31 14:29         ` Stephen Smalley
2016-10-25  3:49     ` Jason Zaman [this message]
2016-10-25 22:12       ` Chris PeBenito
2016-10-24  9:28 ` Petr Lautrbach
2016-10-24 12:33 ` Sven Vermeulen
2016-10-31 18:05 ` Stephen Smalley
2016-10-31 18:11   ` Dominick Grift
     [not found]   ` <eaeb9dc4-e69f-47de-50ad-083ce97e1153@gmail.com>
     [not found]     ` <98931665-f141-29e3-fb3a-9335e58874b0@tycho.nsa.gov>
2016-10-31 18:26       ` Dominick Grift
2016-10-31 18:42   ` Stephen Smalley
2016-11-01 19:00   ` Daniel J Walsh
2016-11-08 19:42   ` Stephen Smalley
2016-11-14 20:41     ` Jason Zaman
2016-11-15 14:47       ` Stephen Smalley
2016-11-15 15:01         ` Stephen Smalley
2016-11-15 16:30           ` Jason Zaman
2016-11-16 19:00             ` Stephen Smalley
2016-11-16 19:07               ` Stephen Smalley
2016-11-18 12:40         ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161025034900.GA14100@meriadoc.perfinion.com \
    --to=jason@perfinion.com \
    --cc=pebenito@ieee.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.