sven.vermeulen at siphos
Feb 12, 2011, 6:20 AM
SELinux policy module packages
Gentoo Hardened aims to follow the Tresys reference policy closely for the
SELinux policy modules / packages and puts all non-base policies in the
sec-policy/selinux-* packages. We already had a few hints on
#gentoo-hardened about the naming conventions used for those packages.
Naming conventions might seem silly to discuss, but they can make life
difficult in the future so it's better to tackle this before we go to a
stable set of SELinux policies. There are various options available, but let
me first give some information on the issue...
** Naming Collisions, Categories and More...
Well, as you are probably all aware, Gentoo might have naming collisions
when one doesn't provide the category (think app-admin/analog versus
app-emacs/analog). For regular packages, we ask users to provide the category
as well. However, for SELinux policy packages, there's only a single category
currently (sec-policy/), so we might need to provide the necessary naming
conventions in the package names.
However, another problem arises. Some reference policy modules provide
policies for multiple Gentoo packages (think admin/bootloader, which offers
policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy
package to the Gentoo package, what would the package be called then (in
this particular case, bootloader is part of the base policy so doesn't
require a separate sec-policy/ package).
And if that isn't enough, Tresys reference policy also uses categories
(admin, apps, kernel, roles, services and system) so they too might have
naming collisions if one would ignore the category. However, once that
occurs, there will be other issues as well, because the reference policy
sources might have categories, but SELinux doesn't, so the module name
itself would require adjustments (cfr. "semodule -l" output).
** SELinux policy module naming convention
So, how should we (Gentoo Hardened) name our SELinux packages to avoid above
collisions, but also to provide our developers with a consistent guideline
on how to call SELinux module packages?
My suggestion would be to name the packages according to the refpolicy
module name (as it is the source of the package anyhow) without category.
Collisions are unlikely to occur in the near future because SELinux has no
support for categories. In other words, if a collision would occur, the
reference policy would rename their modules (or name the new module
differently) anyhow, so we can easily follow suit.
I rather not follow Gentoo's package names. I know it might make it easier
to deduce which sec-policy/selinux-* packages need to be installed on a
system, but this is a temporary situation - in the long term, we want all
packages that have SELinux policies to have an optional (selinux) dependency
against their sec-policy/selinux-* package. The downside would be that we
need to either make duplicate packages for these tools that have policies
within the same module (think the bootloader case) or use a different naming
convention for those particular packages.
So, what are your thoughts on this?