Mailing List Archive

On Sep 11, 2012 4:51 PM, "Alex Brandt" <alunduil@alunduil.com> wrote:
> I've been reading through your wonderful handbook,
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=5
>
> , about modifying the SELinux policy in Gentoo but was hoping you could
provide a little more specific advice about the how to write SELinux
policies for personal projects:
>
>
>
> * What's the best way to store this? With the project or as a separate
code repository or as a contribution to upstream policies?

Depends on the complexity. If you can manage the personal policies as
additional files without patching the existing policies then I would use
separate files. Recently you can keep those in the ebuilds if you want.

If the patching of the existing policies is marginal, then I wouldn't
recommend creating a separate repo as it is quite a time consuming activity.

> * Is writing live ebuilds for selinux policies recommended or frowned
upon?

There are live ebuilds in the hardened dev overlay. They are definitely
useful, but don't forget rebuilding occasionally...

> * Where should my policy live in the long run?

If they can benefit others please send thdm to us - bugzilla - or upstream.
If you do it through us I will send it upstream eventually anyhow.

> * Is there anything else that you can recommend for writing policies of
this kind?

Just start with it. And perhaps follow the discussions on the refpolicy
mailinglist for coding style feedback.

> Thanks for any advice or best practices you can share.
>
yw ;-)

On Tuesday, September 11, 2012 9:29:42 PM Sven Vermeulen wrote:

Depends on the complexity. If you can manage the personal policies as
additional files without patching the existing policies then I would use
separate files. Recently you can keep those in the ebuilds if you want.
Hey Sven,

Thanks for the wonderful feedback. The way I have things setup now is an
selinux directory in my project's source directory. Should I move these to
the files directory of an ebuild for this selinux policy? Is it acceptable to
store them in the project's source (and by extension tarball)?

I'll take a look at the hardened overlay to model by live ebuilds for this but
wanted to make sure I wasn't going down the wrong path. All of the ebuilds
I've seen so use the selinux eclass so extensively that it was hard to
separate out where things lived upstream to the ebuild.

Thanks again Sven.

Regards,

--
Alex Brandt
Sales Engineer for Rackspace, RHCE
http://www.alunduil.com

On Sep 14, 2012 5:03 PM, "Alex Brandt" <alunduil@alunduil.com> wrote:

> Thanks for the wonderful feedback. The way I have things setup now is an
selinux directory in my project's source directory. Should I move these to
the files directory of an ebuild for this selinux policy? Is it acceptable
to store them in the project's source (and by extension tarball)?

Are these just the policy sources for the project? If so, then the code
should be fairly isolated. So after policy development I think it is wise
to try and submit them upstream later.

>
> I'll take a look at the hardened overlay to model by live ebuilds for
this but wanted to make sure I wasn't going down the wrong path. All of the
ebuilds I've seen so use the selinux eclass so extensively that it was hard
to separate out where things lived upstream to the ebuild.

Yes for gentoo the eclass makes it a lot easier to package. However, that
has nothing to do with policy development.

Wkr
Sven