[gentoo-hardened] Cleanup of sec-policy (old ebuilds)

[gentoo-hardened] Cleanup of sec-policy (old ebuilds)

[Sven Vermeulen]

Hi all,

The current sec-policy category contains many old ebuilds for old and
obsoleted SELinux policies. In my opinion, it would be better if we purge
them so that only those based on the 20101213 refpolicy remain (and for
those, only a limited set).

My general idea on purging ebuilds is to drop all stable ebuilds except the
latest stable, and to drop all ~arch ebuilds except the last two or so. 

I know the current stable ones might not even function well, but dropping
all stables might result in dependencies being broken for existing users
(even if they run in permissive mode, it would cause Portage to fail
installing master packages that depend on a SELinux policy...

I don't mind drafting a script or patch that does this, but if a developer
sais he doesn't need a patch it'll save me quite some time :-) Also, if you
just prefer a list of ebuilds to keep (for each package) that's fine too,
but in that case don't forget to clean the files/ folder too.

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] Cleanup of sec-policy (old ebuilds)

[Anthony G. Basile]

On 02/27/2011 08:23 AM, Sven Vermeulen wrote:
> Hi all,
> 
> The current sec-policy category contains many old ebuilds for old and
> obsoleted SELinux policies. In my opinion, it would be better if we purge
> them so that only those based on the 20101213 refpolicy remain (and for
> those, only a limited set).
> 
> My general idea on purging ebuilds is to drop all stable ebuilds except the
> latest stable, and to drop all ~arch ebuilds except the last two or so. 
> 
> I know the current stable ones might not even function well, but dropping
> all stables might result in dependencies being broken for existing users
> (even if they run in permissive mode, it would cause Portage to fail
> installing master packages that depend on a SELinux policy...
> 
> I don't mind drafting a script or patch that does this, but if a developer
> sais he doesn't need a patch it'll save me quite some time :-) Also, if you
> just prefer a list of ebuilds to keep (for each package) that's fine too,
> but in that case don't forget to clean the files/ folder too.
> 
> Wkr,
> 	Sven Vermeulen

Since the selinux policies come as a set with the same date as a version
number, wouldn't it be better to, say, remove all the 20080525 first.
Fix any brokenness, then deal with 20090730, etc until we've removed the
sets we want gone?

Since selinux is out of date, I suspect a lot of users (like me) run
~arch for the policies.  I'm not sure keeping/removing on the basis of
stable/unstable works.

I don't even know what the policy is for stabilization of sec-policy/*

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Cleanup of sec-policy (old ebuilds)

[Sven Vermeulen]

On Sun, Feb 27, 2011 at 10:05:28AM -0500, Anthony G. Basile wrote:
> Since the selinux policies come as a set with the same date as a version
> number, wouldn't it be better to, say, remove all the 20080525 first.
> Fix any brokenness, then deal with 20090730, etc until we've removed the
> sets we want gone?

I was first thinking of cleaning up everything except the latest 2.20101213
ebuilds, but if we remove any stable policy package and we have 1 user that
has that stable package installed, then his next world update will fail. By
not touching the latest stable ebuild (until the 2.20101213's stabilize) we
at least are more confident that that won't happen.

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] Cleanup of sec-policy (old ebuilds)

[Anthony G. Basile]

On 02/27/2011 10:14 AM, Sven Vermeulen wrote:
> On Sun, Feb 27, 2011 at 10:05:28AM -0500, Anthony G. Basile wrote:
>> Since the selinux policies come as a set with the same date as a version
>> number, wouldn't it be better to, say, remove all the 20080525 first.
>> Fix any brokenness, then deal with 20090730, etc until we've removed the
>> sets we want gone?
> 
> I was first thinking of cleaning up everything except the latest 2.20101213
> ebuilds, but if we remove any stable policy package and we have 1 user that
> has that stable package installed, then his next world update will fail. By
> not touching the latest stable ebuild (until the 2.20101213's stabilize) we
> at least are more confident that that won't happen.
> 
> Wkr,
> 	Sven Vermeulen

How does stabilization proceed for selinux?  Has a precedence been set?
There's over 200 packages.  It cannot be done individually.

If we're going to clean up everything except 2.20101213, then let's get
them stabilized first and remove all the others.

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Cleanup of sec-policy (old ebuilds)

[Sven Vermeulen]

On Sun, Feb 27, 2011 at 10:22:13AM -0500, Anthony G. Basile wrote:
> How does stabilization proceed for selinux?  Has a precedence been set?
> There's over 200 packages.  It cannot be done individually.

There's no immediate planning to stabilize the packages, although I do think
we will have a stable set in the quite near future (skimming through the
bugreports as we speak and performing lots of tests here locally).

> If we're going to clean up everything except 2.20101213, then let's get
> them stabilized first and remove all the others.

That I can agree to: first stabilize the 2.20101213 set, then start with the
clean-up operation.

Wkr,
	Sven Vermeulen