Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Update on SELinux eclass to support different git repo or branch
swift at gentoo
Aug 6, 2014, 1:30 AM
Post #1 of 4 (1691 views)
Permalink
Hi all

Our live sec-policy/selinux-* packages (the ones with the -9999 version)
have been using our git repository for some time. Although users could
always override these with packagename_LIVE_REPO, it meant that they had to
generate such variables for each and every sec-policy/ package out there.

As that is a big nuisance (and you should also not forget to substitute "-"
with "_" in that case) I added two more variables in the SELinux eclass to
make this a lot simpler:

SELINUX_GIT_REPO can now point to a different repo set if you want
SELINUX_GIT_BRANCH can be used to pull in a different branch (default is
master)

The first one (SELINUX_GIT_REPO) allows users to use their own SELinux
policy repository with the live ebuilds, rather than having to use ours (or
do some cludgy things to get their own policies to be loaded). All that we
require is that the repository is still a reference policy clone.

The second one (SELINUX_GIT_BRANCH) allows users to pick a different branch.
This can be interesting when we're doing larger updates on the SELinux
policies with wider testing (or in between developers).

The changes are fully backwards compatible and do not affect users not using
the -9999 ebuilds.

Wkr,
Sven Vermeulen
Re: Update on SELinux eclass to support different git repo or branch [ In reply to ]
jason at perfinion
Aug 6, 2014, 1:42 AM
Post #2 of 4 (1651 views)
Permalink
On 6 Aug 2014 12:30, "Sven Vermeulen" <swift@gentoo.org> wrote:
>
> Hi all
>
> Our live sec-policy/selinux-* packages (the ones with the -9999 version)
> have been using our git repository for some time. Although users could
> always override these with packagename_LIVE_REPO, it meant that they had
to
> generate such variables for each and every sec-policy/ package out there.
>
> As that is a big nuisance (and you should also not forget to substitute
"-"
> with "_" in that case) I added two more variables in the SELinux eclass to
> make this a lot simpler:
>
> SELINUX_GIT_REPO can now point to a different repo set if you want
> SELINUX_GIT_BRANCH can be used to pull in a different branch (default is
> master)

Just to be clear, these go in make.conf then? And the branch variable I
assume will default to "master"?

-- Jason
Re: Update on SELinux eclass to support different git repo or branch [ In reply to ]
swift at gentoo
Aug 6, 2014, 2:10 AM
Post #3 of 4 (1652 views)
Permalink
On Wed, Aug 06, 2014 at 12:42:50PM +0400, Jason Zaman wrote:
> > As that is a big nuisance (and you should also not forget to substitute "-"
> > with "_" in that case) I added two more variables in the SELinux eclass to
> > make this a lot simpler:
> >
> > SELINUX_GIT_REPO can now point to a different repo set if you want
> > SELINUX_GIT_BRANCH can be used to pull in a different branch (default is
> > master)
>
> Just to be clear, these go in make.conf then? And the branch variable I
> assume will default to "master"?

Yes. If you don't want to use a particular branch, then you don't need to
set SELINUX_GIT_BRANCH yourself as it defaults to "master".

The variables are placed in the make.conf file, or can be set as regular
environment variables if you don't want them to persist (like with all other
make.conf variables).

I've also updated the wiki page with this information:
https://wiki.gentoo.org/wiki/Project:SELinux/Development#Fully_Running_Your_Own_Policy

Wkr,
Sven Vermeulen
Re: Update on SELinux eclass to support different git repo or branch [ In reply to ]
aranea at aixah
Aug 6, 2014, 2:22 AM
Post #4 of 4 (1650 views)
Permalink
That sounds great! Up to now, I compiled and loaded my patched policy
manually, but I think I'll switch over to using the -9999's and
configuring them to use my own repo.


Regards,
Luis

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal