Okay!! I just tried leafnode on a Fedora 8 Box and it works over there with SELinux enabled. But I don't follow Fedora, So I can't confirm if they modify the policy or just use what is shipped upstream.
Ritesh On Tuesday 05 February 2008, Erich Schubert wrote: > Hi Mark, > > > fixed in the Leafnode package. Now you're telling me that this should, > > as I had originally understood, be fixed in the SELinux packages. > > It requires knowledge of leafnode to be fixed. Ideally, it would be > fixed within the leafnode package, albeit it's more realistically and > practicably to do it in the refpolicy package (at least when you submit > the module upstream and they include it - we don't really want to have > two different versions of the policy module unless there is a good > reason to do so!) > > > I'm sorry, I can't entirely parse what you're saying here. You appear > > to be talking about having the ability to build new SELinux policies? > > No, I'm talking about the toolchain to build SELinux policy MODULES. > Which is what you need for leafnode. > > > This is obviously true - the point is that there is no visible support > > for including new SELinux policy information in packages. > > Incorrect. Just ship a .pp (= policy package, aka policy module) file. > The -dev package I mentioned is what you need for building the .pp file. > > Let me quote the description of the -dev package: > [...] > This package provides header files for building your own SELinux > policy packages compatible with official policy packages. > > See, you probably want to make an 'unofficial' policy package for > leafnode, then try to get it 'official'. > > > Either you want me to implement SELinux support in the Leafnode package > > or you want this to be done in the SELinux packages. Which is the case? > > *I* do not care. Heck, I don't even care if leafnode ever gets a policy > module, since I don't use it. Nor do I currently use SELinux, but that's > another story. The -dev package exists to allow you building a policy > module for leafnode. > As explained, writing a module for leafnode requires knowledge of where > leafnode stores it's files and which kind of access it needs to these > files and other system files. > For maintainance reasons (keeping up with SELinux changes such as > labeled networking), it's most convenient if you submit the policy > module to refpolicy upstream, but of course you can also just keep it in > your package. Someone wrote a policy module for exim and submitted it > upstream, now it's included there. Sounds like a working approach to me. > Go ahead and clone the bug to the refpolicy package, but at least use > the correct package, please. But don't expect that to help getting the > bug resolved; the usertag already added is more appropriate for tracking > SELinux related issues. > > best regards, > Erich Schubert -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
signature.asc
Description: This is a digitally signed message part.
