Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2364389pxb; Mon, 11 Jan 2021 07:51:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJzfgNb60YeVcmNjEYO9xiEvflKqsM6PFhitu4/RazGMQi2OlLeyhqr0QINATe7QdiWmf/+K X-Received: by 2002:a17:906:9452:: with SMTP id z18mr55473ejx.389.1610380309770; Mon, 11 Jan 2021 07:51:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610380309; cv=none; d=google.com; s=arc-20160816; b=w89vCNN9fEh3abQ1sXtUvHOSMhohP6JMQxbtCqbrA2wuWoRBcWRUf/Os3jUW2qhIlx jJerSecahY50CHuSapNLJxJxYlqKcJTIpzH1Fn9Ob5CeVgf1XZisXvnMN35mTRW3qNEh DRFo3iLC9sFqanIx0OP6nAmd3EW7+eroln8nFL3N+Wnt0Wb/31J9OXN15BWVqEpLDZne FxJBkVXhwZSbB44CrtKVyCBT+WcWARNcPfAlwBI12P+eysKqPtsmypa9TbHA1Cx/DvUc 57vvMMTf3NFNhMU1jTXN2yxD/sqFlVuZfjdvonLJSuOCvB9rAoG2ErpQKHFZun2SP4BH vtiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=AvjK0uEffAhMR4fgcnY2G0EbvkwJdVCQ1DzOXlWU50Y=; b=BABzDJXQoxrldojLk/Wn/xKx5gBPoxlDgS4y8bZBInyFtoyAV7w3bdQh4mBjTodqrU ALsJ5stZmQm2qk7gTafQMd+XR76gchO9MzYGoeNhEmI2+bbhqGhK71RZX2GoVYNJSzJX U2Eq3yhE8amkzohQCCFkVAAmsh16T4MZorogjdX2JPniZuFpiChb4GAB+FQ1i/FrOfXH 4HUCpJtlmCu2dvo5+PL29fveqOkdNCoMs1bXbj5j+OiVrL4JQ4b7h04rKiQk2tt2/O4Y pq8lEy+x8eA4KuReXmkrXQ5jg4NIOxOkZnH66/hjQLv5ZZJ9zxic1UmAis4lt1GQg6dW a9dQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=pI6+gZZ3; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si80889edv.64.2021.01.11.07.51.43; Mon, 11 Jan 2021 07:51:49 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=pI6+gZZ3; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727279AbhAKPt4 (ORCPT + 18 others); Mon, 11 Jan 2021 10:49:56 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:51522 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731838AbhAKPt4 (ORCPT ); Mon, 11 Jan 2021 10:49:56 -0500 Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 857AB169BA; Tue, 12 Jan 2021 02:49:13 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1610380154; bh=AvjK0uEffAhMR4fgcnY2G0EbvkwJdVCQ1DzOXlWU50Y=; l=2247; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pI6+gZZ3sBc7jvfkTRO8Woo4EHVzYOuMW9YGGSLwlyAi4lQ6Y4TNFeiJXwYwtQCaH mWBNro40Wt8dTino2MOXZVgRs4julYK8v9l23fzhdznJUdvwYf51+0aNsMg/4bP27L 0QzwsSUJRk8eHDnJbArxng030oVyJTMSd/4AK1T8= From: Russell Coker To: Dominick Grift Cc: Chris PeBenito , refpolicy Subject: Re: [RFC] Purging dead modules Date: Tue, 12 Jan 2021 02:48:59 +1100 Message-ID: <3283555.42QHSe7XtN@liv> In-Reply-To: References: <352607e8-2de0-fc71-8403-15942d65c837@ieee.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tuesday, 12 January 2021 2:23:47 AM AEDT Dominick Grift wrote: > > I'm looking to remove modules for dead programs, such as hal and > > consolekit. The question is how long to keep modules for dead > > programs? I'm thinking something like 3-5 years. > > Agree I think we should drop them when the programs aren't in the latest DEVELOPMENT versions of Fedora, Debian, or any other distribution that supports SE Linux. The new policy will only be used by new versions of those distributions. Running a newer version of policy on an older version will not provide any benefits and in some cases won't work properly. People should NOT expect the Git refpolicy to work well on Debian/Buster, if they try it they shouldn't expect much help from me. While I have a general aim that you should be able to upgrade kernel, SE Linux policy (and things that get dragged in with it like libc), and applications separately this isn't a guarantee. If Debian/ Unstable doesn't include a daemon then I have no interest in supporting that daemon with SE Linux policy in Debian/Unstable. People can migrate their configuration to the replacement daemon as part of the process of upgrading SE Linux policy. Distributions like Fedora have a stronger binding between policy and daemons than Debian does, and RHEL has an even stronger binding. That said, Debian tends to keep daemons longer than most distributions. If a daemon doesn't have known security issues and some people like using it then it stays in the archive. When Debian keeps a daemon that loses support upstream your REALLY want good SE Linux policy for it! > some suggestions: > > sectoolm, kdumpgui, kudzu, readahead, smoltclient, tmpreaper, > firewallgui, gift, podsleuth, ptchown, sambagui, yam, hotplug, pcmcia, > dnssectrigger, kerneloops, keyboardd, rhgb, roundup, speedtouch, w3c, > xprint kerneloops is still in Debian/Unstable and running on some of my Debian/ Unstable machines. In Debian/Unstable /etc/init.d/mountnfs-bootclean.sh has type tmpreaper_exec_t, so this is still being used. But I am up for a discussion about other ways of doing this. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/