FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 09-11-2012, 02:48 PM
Alex Brandt
 
Default SELinux Policy Development

Hey Sven,

*

I've been reading through your wonderful handbook, http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=5

, about modifying the SELinux policy in Gentoo but was hoping you could provide a little more specific advice about the how to write SELinux policies for personal projects:

*

* What's the best way to store this? With the project or as a separate code repository or as a contribution to upstream policies?

* Is writing live ebuilds for selinux policies recommended or frowned upon?

* Where should my policy live in the long run?

* Is there anything else that you can recommend for writing policies of this kind?

*

Thanks for any advice or best practices you can share.

*

Regards,

*

--

Alex Brandt

Sales Engineer for Rackspace, RHCE

http://www.alunduil.com

*
 
Old 09-11-2012, 07:29 PM
Sven Vermeulen
 
Default SELinux Policy Development

On Sep 11, 2012 4:51 PM, "Alex Brandt" <alunduil@alunduil.com> wrote:

> I've been reading through your wonderful handbook, http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=5


>

> , about modifying the SELinux policy in Gentoo but was hoping you could provide a little more specific advice about the how to write SELinux policies for personal projects:

>

> *

>

> * What's the best way to store this? With the project or as a separate code repository or as a contribution to upstream policies?


Depends on the complexity. If you can manage the personal policies as additional files without patching the existing policies then I would use separate files. Recently you can keep those in the ebuilds if you want.



If the patching of the existing policies is marginal, then I wouldn't recommend creating a separate repo as it is quite a time consuming activity.



> * Is writing live ebuilds for selinux policies recommended or frowned upon?


There are live ebuilds in the hardened dev overlay. They are definitely useful, but don't forget rebuilding occasionally...



> * Where should my policy live in the long run?


If they can benefit others please send thdm to us - bugzilla - or upstream. If you do it through us I will send it upstream eventually anyhow.


> * Is there anything else that you can recommend for writing policies of this kind?


Just start with it. And perhaps follow the discussions on the refpolicy mailinglist for coding style feedback.


> Thanks for any advice or best practices you can share.

>

yw ;-)
 
Old 09-14-2012, 03:00 PM
Alex Brandt
 
Default SELinux Policy Development

On Tuesday, September 11, 2012 9:29:42 PM Sven Vermeulen wrote:


Depends on the complexity. If you can manage the personal policies as additional files without patching the existing policies then I would use separate files. Recently you can keep those in the ebuilds if you want.

Hey Sven,

*

Thanks for the wonderful feedback. The way I have things setup now is an selinux directory in my project's source directory. Should I move these to the files directory of an ebuild for this selinux policy? Is it acceptable to store them in the project's source (and by extension tarball)?

*

I'll take a look at the hardened overlay to model by live ebuilds for this but wanted to make sure I wasn't going down the wrong path. All of the ebuilds I've seen so use the selinux eclass so extensively that it was hard to separate out where things lived upstream to the ebuild.

*

Thanks again Sven.

*

Regards,

*

--

Alex Brandt

Sales Engineer for Rackspace, RHCE

http://www.alunduil.com

*
 
Old 09-14-2012, 03:20 PM
Sven Vermeulen
 
Default SELinux Policy Development

On Sep 14, 2012 5:03 PM, "Alex Brandt" <alunduil@alunduil.com> wrote:


> Thanks for the wonderful feedback. The way I have things setup now is an selinux directory in my project's source directory. Should I move these to the files directory of an ebuild for this selinux policy? Is it acceptable to store them in the project's source (and by extension tarball)?



Are these just the policy sources for the project? If so, then the code should be fairly isolated. So after policy development I think it is wise to try and submit them upstream later.



>

> I'll take a look at the hardened overlay to model by live ebuilds for this but wanted to make sure I wasn't going down the wrong path. All of the ebuilds I've seen so use the selinux eclass so extensively that it was hard to separate out where things lived upstream to the ebuild.



Yes for gentoo the eclass makes it a lot easier to package. However, that has nothing to do with policy development.


Wkr

* Sven
 

Thread Tools




All times are GMT. The time now is 11:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org