* SeLinux integration
@ 2008-08-17 10:44 Jens Neuhalfen
2008-08-18 8:45 ` Christian Jaeger
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Jens Neuhalfen @ 2008-08-17 10:44 UTC (permalink / raw)
To: git
Hi,
I wrote an SeLinux policy and an init.d script for the git-daemon
and now seek for comments and improvements.
The scripts were tested on my Centos 5.2 box and an older version had
been tested on FC 9.
Features:
* multiple configuration files for the init.d script
* selinux support for git daemon
* seboolean (git_daemon_update_repository) that forces git-daemon
into strict read-only mode when set to false
TODO
* The policy and the accompanying init.d script still lack
documentation
* see selinux/BUGS and initd/BUGS
Feel free to pull from my repository and comment. If the everything is
'good' I will send patches to the list, so that SeLinux support can be
integrated into the main repository.
git://www.neuhalfen.name/git-selinux.git
Jens
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: SeLinux integration 2008-08-17 10:44 SeLinux integration Jens Neuhalfen @ 2008-08-18 8:45 ` Christian Jaeger 2008-08-18 12:02 ` Jens Neuhalfen 2008-08-18 13:32 ` Petr Baudis 2008-08-18 14:29 ` David P. Quigley 2 siblings, 1 reply; 7+ messages in thread From: Christian Jaeger @ 2008-08-18 8:45 UTC (permalink / raw) To: Jens Neuhalfen; +Cc: git Jens Neuhalfen wrote: > git://www.neuhalfen.name/git-selinux.git I'm just an end user, too, so this isn't representing any official statement, but imho you should clean up your history before you publish it (and also, I think it would be a good idea to mention that your git repo is really including the upstream git so that people know they should use the --reference option to git clone to reuse the contents of a local upstream git to avoid pulling everything from your server): - remove commits that don't make sense like your "XXX" file - generally look over your history again and rework it so that it makes sense for a receiver (which is not necessarily the historic events of how you wrote it) - follow the common commit message format (one line subject, the rest in the body and line wrapped) - probably there's no reason to merge your history with historic events of the upstream git, so you should rebase your history onto some point of upstream. You can do this by running git branch last_upstream 053fd0c1c3da20474c4ff175c56ea4c1d6eeda11 git rebase --interactive last_upstream (or alternatively (with the advantage that you can open and edit all patches at the same time, but the disadvantage that editing diffs is more difficult to get right than editing files in snapshots), by first creating patch files by running: git format-patch master...last_upstream then editing the patch files (and remove those which don't make sense) and then switch to the upstream branch and run "git-am --3way 00*patch", or replace 00*patch with the patch files in the order you want them applied). Christian. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SeLinux integration 2008-08-18 8:45 ` Christian Jaeger @ 2008-08-18 12:02 ` Jens Neuhalfen 2008-08-18 12:47 ` Christian Jaeger 0 siblings, 1 reply; 7+ messages in thread From: Jens Neuhalfen @ 2008-08-18 12:02 UTC (permalink / raw) To: Christian Jaeger; +Cc: git > Jens Neuhalfen wrote: > > git://www.neuhalfen.name/git-selinux.git > Hi Christian, > I'm just an end user, too, so this isn't representing any official ... first, thank you for your taking your time! I am relatively new to git (I've been poking git for three or four weeks now), so your advice on how-to (and how-not-to) is much appreciated. The repository is my current development repository which, naturally (?), is based on the 'blessed' repository. My understanding of git was, that anyone with a copy of the blessed git repository can 'pull' from my repository and gets my branches with git transmitting just my changes over the net. Then he/she/it can switch to 'my' branch and test the policy/init-script. Did I get something wrong there? I thought that this is a/the normal way of using git. You are right with the commits and their rather terse messages, though the code are not ready for release or an integration review. The plan was: Get some feedback on the current state, refine the code and then send the patches to the list. Christian, have you been able to test the policy? I am very curious, how it works on other machines (say, gentoo) or with other setups (strict-policy is completely untested, although I don't think that anyone really uses it). Jens > Christian. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SeLinux integration 2008-08-18 12:02 ` Jens Neuhalfen @ 2008-08-18 12:47 ` Christian Jaeger 2008-08-18 13:04 ` Björn Steinbrink 0 siblings, 1 reply; 7+ messages in thread From: Christian Jaeger @ 2008-08-18 12:47 UTC (permalink / raw) To: Jens Neuhalfen; +Cc: git Jens Neuhalfen wrote: > The repository is my current development repository which, naturally (?), is based on the 'blessed' repository. My understanding of git was, that anyone with a copy of the blessed git repository can 'pull' from my repository and gets my branches with git transmitting just my changes over the net. Then he/she/it can switch to 'my' branch and test the policy/init-script. > > Did I get something wrong there? I thought that this is a/the normal way of using git. > Well I'm sure you could use it this way; but check for yourself, if you start gitk on your repository, one has to first figure out where to find you work, i.e. one has to follow the right parent in your commits to see all of them; it's certainly possible but I guess not very inviting for people who just want to *look* at your work (as opposed to simply try it out). I'll readily admit that I just wanted to look, not try it out. But maybe I'm not the only one with this as his/her primary aim. > You are right with the commits and their rather terse messages, though the code are not ready for release or an integration review. The plan was: Get some feedback on the current state, refine the code and then send the patches to the list. > Ok, maybe how you're doing it is just fine, I'll leave it to others to judge. But still you should be aware that it's common practice with Git to first clean up private history before publishing it. The history can explain the code much better than is possible by just looking at the latest committed version, and since with Git it is possible to rework the history as long at it is private, people frequently do it, so that the readers can get most out of it. (This is more akin to patch sets, where each patch does a certain thing -- versus work steps, which documents how you created the changes. The latter documentation is really only of interest for you, for others it's the intended changes which matter. So you could "git branch my_selinux_prepublish_1" to keep the latter history in case you want to look at it again later, then do the history cleanup as I've suggested and publish that instead. And continue to work on that reworked branch, actually.) > Christian, have you been able to test the policy? I am very curious, how it works on other machines (say, gentoo) or with other setups (strict-policy is completely untested, although I don't think that anyone really uses it). I don't have any SELinux setup here. I'm playing with the thought of looking into it, that's why the subject of your mail has catched my attention. Thanks, Christian. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SeLinux integration 2008-08-18 12:47 ` Christian Jaeger @ 2008-08-18 13:04 ` Björn Steinbrink 0 siblings, 0 replies; 7+ messages in thread From: Björn Steinbrink @ 2008-08-18 13:04 UTC (permalink / raw) To: Christian Jaeger; +Cc: Jens Neuhalfen, git On 2008.08.18 14:47:13 +0200, Christian Jaeger wrote: > Jens Neuhalfen wrote: >> The repository is my current development repository which, naturally >> (?), is based on the 'blessed' repository. My understanding of git >> was, that anyone with a copy of the blessed git repository can 'pull' >> from my repository and gets my branches with git transmitting just my >> changes over the net. Then he/she/it can switch to 'my' branch and >> test the policy/init-script. >> >> Did I get something wrong there? I thought that this is a/the normal >> way of using git. > > Well I'm sure you could use it this way; but check for yourself, if you > start gitk on your repository, one has to first figure out where to find > you work, i.e. one has to follow the right parent in your commits to see > all of them; it's certainly possible but I guess not very inviting for > people who just want to *look* at your work (as opposed to simply try it > out). I'll readily admit that I just wanted to look, not try it out. But > maybe I'm not the only one with this as his/her primary aim. Well, instead of using --reference, I would just add a "selinux" remote to my existing git.git repo, fetch the stuff and then: gitk origin/master..selinux/master It's still not "pretty", but quite usable. And as far as I'm concerned, it's kinda obvious that the git-selinux repo is based on the git.git repo, so I wouldn't say that you're required to mention that explicitly. Björn ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SeLinux integration 2008-08-17 10:44 SeLinux integration Jens Neuhalfen 2008-08-18 8:45 ` Christian Jaeger @ 2008-08-18 13:32 ` Petr Baudis 2008-08-18 14:29 ` David P. Quigley 2 siblings, 0 replies; 7+ messages in thread From: Petr Baudis @ 2008-08-18 13:32 UTC (permalink / raw) To: Jens Neuhalfen; +Cc: git Hi, On Sun, Aug 17, 2008 at 12:44:22PM +0200, Jens Neuhalfen wrote: > git://www.neuhalfen.name/git-selinux.git for the mildly curious ones, your friendly gitweb provider service offers http://repo.or.cz/w/git/selinux.git Petr "Pasky" Baudis ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SeLinux integration 2008-08-17 10:44 SeLinux integration Jens Neuhalfen 2008-08-18 8:45 ` Christian Jaeger 2008-08-18 13:32 ` Petr Baudis @ 2008-08-18 14:29 ` David P. Quigley 2 siblings, 0 replies; 7+ messages in thread From: David P. Quigley @ 2008-08-18 14:29 UTC (permalink / raw) To: Jens Neuhalfen; +Cc: git On Sun, 2008-08-17 at 12:44 +0200, Jens Neuhalfen wrote: > Hi, > > I wrote an SeLinux policy and an init.d script for the git-daemon > and now seek for comments and improvements. > > The scripts were tested on my Centos 5.2 box and an older version had > been tested on FC 9. > > Features: > * multiple configuration files for the init.d script > * selinux support for git daemon > * seboolean (git_daemon_update_repository) that forces git-daemon > into strict read-only mode when set to false > > TODO > * The policy and the accompanying init.d script still lack > documentation > * see selinux/BUGS and initd/BUGS > > Feel free to pull from my repository and comment. If the everything is > 'good' I will send patches to the list, so that SeLinux support can be > integrated into the main repository. > > > git://www.neuhalfen.name/git-selinux.git > > > Jens > > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html Hello, It is great to see people other than the core policy developers working on SELinux policy. One thing I would suggest is to post your policy to the new reference policy mailing list for SELinux. This way people such as Chris PeBenito and Dan Walsh can look over it and give suggestions as well. You can find the list at the link below [1]. [1]http://oss.tresys.com/mailman/listinfo/refpolicy Dave ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-08-18 14:48 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-08-17 10:44 SeLinux integration Jens Neuhalfen 2008-08-18 8:45 ` Christian Jaeger 2008-08-18 12:02 ` Jens Neuhalfen 2008-08-18 12:47 ` Christian Jaeger 2008-08-18 13:04 ` Björn Steinbrink 2008-08-18 13:32 ` Petr Baudis 2008-08-18 14:29 ` David P. Quigley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox