From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4558B928.50609@mentalrootkit.com> Date: Mon, 13 Nov 2006 13:27:52 -0500 From: Karl MacMillan MIME-Version: 1.0 To: Stephen Smalley CC: Joshua Brindle , Daniel J Walsh , SE Linux Subject: Re: I would like to propose that we add compression to handle allpolicy files on disk. References: <6FE441CD9F0C0C479F2D88F959B01588514F17@exchange.columbia.tresys.com> <1163097830.32083.52.camel@localhost.localdomain> <1163106106.12241.399.camel@moss-spartans.epoch.ncsc.mil> <1163109275.32083.60.camel@localhost.localdomain> <1163109929.12241.408.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1163109929.12241.408.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Thu, 2006-11-09 at 16:54 -0500, Karl MacMillan wrote: >> On Thu, 2006-11-09 at 16:01 -0500, Stephen Smalley wrote: >>> On Thu, 2006-11-09 at 13:43 -0500, Karl MacMillan wrote: >>>> On Thu, 2006-11-09 at 12:00 -0500, Joshua Brindle wrote: >>>>>> From: Stephen Smalley [mailto:sds@tycho.nsa.gov] >>>>>> >>>>>> On Thu, 2006-11-09 at 10:13 -0500, Stephen Smalley wrote: >>>>>>> On Thu, 2006-11-09 at 09:34 -0500, Joshua Brindle wrote: >>>>>>> Sounds like dropping base.linked and making previous optional would >>>>>>> address the problem more effectively. Also, do we need to keep >>>>>>> policy.kern after successful installation of policy.N? If >>>>>> not, we can >>>>>>> have libsemanage unlink it automatically after installation. >>>>>> Same question for any other file regenerated by every commit, >>>>>> although we may not get much of a savings from the others. >>>>>> file_contexts.template, file_contexts, and netfilter_contexts >>>>>> are the most obvious ones. >>>>>> >>>>> Karl suggested that we can compress the policy packages but not the >>>>> kernel policy. As long as this isn't a policy package format change >>>>> (eg., the policy packages in /usr/share/selinux are the same they've >>>>> always been) and it is only libsemanage manipulating the files in the >>>>> store I'm fine with that. The module store is a private resource of >>>>> libsemanage so nothing else should be affected in any way by this. >>>>> >>>> Making semodule recognize bzipped files should be pretty simple as well >>>> - why wouldn't we do that to save space in /usr/share/selinux? >>> Why do we need to keep /usr/share/selinux/$SELINUXTYPE/*.pp around >>> _after_ a successful run of semodule from %post? Why not just remove >>> them after installation? And move enableaudit.pp into a separate -debug >>> package. >>> >> Removing files managed by an RPM doesn't seem like a good idea, even in >> %post. At the very least, won't this will make rpm verification report >> changes? > > True. Nonetheless, keeping those files around indefinitely when they > are never used again seems pointless. It easily lets you go back to the shipped configuration, but probably only policy developers chaning base.pp care. Is there a different way to > package them that would let them be transient? > I'm not a packaging expert, but the whole reason we took this route was because we saw no other way to let the package manager manage its files and have the module store fully managed by SELinux. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.