SELinux Policy Development
On Sep 11, 2012 4:51 PM, "Alex Brandt" <email@example.com> wrote:
> I've been reading through your wonderful handbook, http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=5
> , about modifying the SELinux policy in Gentoo but was hoping you could provide a little more specific advice about the how to write SELinux policies for personal projects:
> * What's the best way to store this? With the project or as a separate code repository or as a contribution to upstream policies?
Depends on the complexity. If you can manage the personal policies as additional files without patching the existing policies then I would use separate files. Recently you can keep those in the ebuilds if you want.
If the patching of the existing policies is marginal, then I wouldn't recommend creating a separate repo as it is quite a time consuming activity.
> * Is writing live ebuilds for selinux policies recommended or frowned upon?
There are live ebuilds in the hardened dev overlay. They are definitely useful, but don't forget rebuilding occasionally...
> * Where should my policy live in the long run?
If they can benefit others please send thdm to us - bugzilla - or upstream. If you do it through us I will send it upstream eventually anyhow.
> * Is there anything else that you can recommend for writing policies of this kind?
Just start with it. And perhaps follow the discussions on the refpolicy mailinglist for coding style feedback.
> Thanks for any advice or best practices you can share.