[arch-general] Revisit official SELinux support

Thu Oct 31 13:49:56 EDT 2013

On Thu, 31 Oct 2013 11:29:32 +0100
Jelle van der Waa <jelle at vdwaa.nl> wrote:

> On 10/31/13 at 09:36am, Allan McRae wrote:
> > On 31/10/13 09:36, Timothée Ravier wrote:
> > > On 29/10/2013 01:21, Allan McRae wrote:
> > >> I'd suggest that someone maintains an unofficial repo with all the
> > >> packages required to set this up to prove the work required for
> > >> continual maintenance of this has been done.  Then requests could be
> > >> made to (e.g.) add support to the kernel, providing full details of what
> > >> is required and if it has any effect on those not using SELinux.
> > > 
> > > Hi,
> > > 
> > > I've had this on my TODO list for a while but never got to finish it up
> > > to the point of having a really functional system as it is quite time
> > > consuming (especially the SELinux policy fixing part).
> > > 
> > > But I should have some time for it now so I'll try to make those
> > > packages.
> > > 
> > > Impact for non-SELinux users should be rather minimal:
> > >  * kernel: TOMOYO is already enabled and need explicit boot parameter to
> > > operate and so will SELinux once enabled. No major changes here except
> > > for a slightly bigger kernel.
> > >  * userspace: only a very restricted set of packages needs tweaks, but
> > > it won't impact performance for non-SELinux users. No major changes here
> > > except for slightly bigger packages.
> > > 
> > > Only packagers will be impacted as there are still some patches needed
> > > and this could slow down 'core packages' updates when issues arise. But
> > > fixes usually comes quite quickly as both Fedora and Gentoo maintain
> > > packages with SELinux support.
> > 
> > Requiring patches not accepted upstream is an immediate blocker.
> > 
> > > I see a couple of issues that will also have to be resolved for SELinux
> > > on Arch to be usable:
> > >  * It needs some support in pacman, otherwise package updates will be
> > > painful;
> > 
> > I'm interested as a pacman developer what support would be needed, but
> > that too is a likely blocker.
> > 
> > >  * It needs a proper policy tuned for Arch Linux packages. Filesystem
> > > hierarchy differences between Fedora and Arch will prevent us from just
> > > applying the Fedora policy to Arch;
> > >  * Performance comparisons between no-SELinux and disabled-SELinux
> > > installations to make sure the impact is minimal.
> > > 
> > > Cheers,
> > > 
> > > Tim
> > > 
> > > 
> > 
> 
> Although I'm not a fan of SELinux, it would be nice if there was a list
> ( wiki article ) which lists all patches we need to apply on our
> packages. ( Who providers these patches btw. ) And which policy files we
> need to ship with our packages
> 
> 

Somehow the talk about LSMs keeps coming back again and again... It does not
seem likely that SELinux, even if enabled by default, will be used much.
Indeed, we've had AppArmor for over a year now, yet entire related userspace
is in AUR, and all profiles have to be hand-written or adapted from OpenSuse
or Ubuntu ones...

Cheers,
-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20131031/b0ca6ed1/attachment.asc>