From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id BC70D138D11 for ; Mon, 13 Jul 2015 13:52:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 12EB4E092D; Mon, 13 Jul 2015 13:52:00 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5F139E0928 for ; Mon, 13 Jul 2015 13:51:59 +0000 (UTC) Received: from localhost (unknown [94.204.182.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: perfinion) by smtp.gentoo.org (Postfix) with ESMTPSA id 58FE534082B for ; Mon, 13 Jul 2015 13:51:57 +0000 (UTC) Date: Mon, 13 Jul 2015 17:51:51 +0400 From: Jason Zaman To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Feedback on article recommending Gentoo for SELinux Message-ID: <20150713135151.GA21722@meriadoc.Home> References: <20150712234603.GQ2951@dent.vctlabs.com> <20150713113133.GA17362@meriadoc.Home> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Archives-Salt: 831398df-5486-4111-a64a-34c60c98b680 X-Archives-Hash: cea02ae222464c1aff7432531763e1a0 On Mon, Jul 13, 2015 at 03:02:55PM +0200, Sven Vermeulen wrote: > On Mon, Jul 13, 2015 at 1:31 PM, Jason Zaman wrote: > > Secondly, related to "poor support for preserving local changes across > > system updates". The tools now have the concept of priority so users can > > easy completely replace a distro-provided module at a higher priority > > (semodule -X 900 -i foo.pp). I haven't (yet) updated our selinux eclass > > to install at a lower priority but will hopefully do that soon. > > We work with the default 400 (100 is for the migrated modules). Do you > see a reason why we have to explicitly support a particular priority > in our eclass? Hmm. I thought the point of the priorities was that things the user has done should be separate from what the distro provides. Either the distro uses 400 and any overrides the user does in a higher level or we change the eclass to use a lower level and the user gets the default. That way its easier for the user to see what customizations have been made. I was going to make a patch first then discuss but the basic idea was to semodule -X 100 -i $MOD.pp then remove the module from level 400 afterwards if it exists. Thoughts? And if we do, do we want to use level 100? 200? -- Jason