From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RXfOC-0006Ja-Sm for garchives@archives.gentoo.org; Mon, 05 Dec 2011 20:43:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7F01821C063; Mon, 5 Dec 2011 20:43:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id BC337E031D for ; Mon, 5 Dec 2011 20:42:41 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id 222771B4020; Mon, 5 Dec 2011 20:42:41 +0000 (UTC) Date: Mon, 5 Dec 2011 20:42:41 +0000 From: Sven Vermeulen To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] We need *you* for a USE="selinux" dependency Message-ID: <20111205204241.GA29054@gentoo.org> Mail-Followup-To: gentoo-dev@lists.gentoo.org References: <20111204203550.GA20891@gentoo.org> <4EDC78A5.1040404@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4EDC78A5.1040404@gentoo.org> User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 6f041f5d-ffcb-4cd1-a0ea-17fcaa01f529 X-Archives-Hash: c036ce7a00b0292ff192fc6631e8330f On Mon, Dec 05, 2011 at 08:54:13AM +0100, "Pawe=C5=82 Hajdan, Jr." wrote: > > In Gentoo, unlike some other distributions, we try to keep the number= of > > loaded/installed modules to a minimum so that policy rebuilds as well= as the > > system overhead is limited. This results in a "base" policy (provided= by > > selinux-base-policy) and modules (provided by sec-policy/selinux-). To make > > sure that installations of a package pull in the right SELinux module= , the > > proper dependencies must be defined. >=20 > Are you sure this is right choice? It seems to me that it'd be better t= o > focus no making things work, and increasing the complexity of the deps > makes this harder (and increasing the number of packages you maintain > too). Unless you have _abundant_ resources to deal with that, I'd like > to discourage you from handling policies that way. For end users, this is much more enjoyable. If we load up all policies, t= hen any interaction with the SELinux policies will take some time. Also, all policies in memory do take up some space. Finally, for development purpos= es, this is very much enjoyable as well, since it allows for much faster poli= cy development (rebuild policies in seconds to minutes rather than dozen of minutes). Maintenance is actually pretty easy. The eclass we use provides us with a very easy interface to add modules, and because it is a module per ebuild= , we can push changes on individual modules without pushing full policy bui= lds again. > Furthermore, imagine I'm adding a new package "foo" that is covered by > the SELinux policy. Most developers don't use SELinux (hey, I suspect > most of them don't even use developer profile; bad, bad!). How do I kno= w > whether it's sec-policy/selinux-foo that's not yet added or > sec-policy/selinux-games or something else... If the complete policy is > in one package, this should be obvious, and we don't even need deps for > that. I know. This is one major hurdle that we need to take on. Using dependenc= ies is the "easiest" approach, albeit the most resource intensive one (initially, that is). I don't mind having the dependencies added as we go= . For our end users, we already documented that missing modules are to be expected and how to resolve it. > As said by other devs here, I also think it'd be more effective if you > just do the change yourself. USE=3D"selinux" doesn't affect anything el= se > so it's safe. Ok, no problem. I'll check on IRC regardless, if not just to give a "head= s up" on changes. Also, my apologies for not sorting the list. Careful readers will notice = it is sorted, but by the package name, not category :/=20 Thanks you all for the feedback! Wkr, Sven Vermeulen