Hi All,
As a maintainer of SELinux distribution policy for Fedora, I would like
to start with rebasing SELinux modules with upstream refpolicy.
Unfortunately refpolicy and fedora selinux-policy quite diverged
during the time. Do the full rebase will be probably really messy
action. I prefer start with smaller modules from contrib branch/repo.
However I have few questions here. SELinux policy in Fedora cover more
setups then refpolicy (contain more allow/generic rules). I'll merge
allow rules from refpolicy which are missing in Fedora selinux-policy,
but would you like to see allow rules from fedora selinux-policy in
refpolicy upstream? Lot of these rules could be Fedora/RHEL specific.
Should I start sending patches and you will decide which
should be merged?
Thanks,
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180309/2bf3bfc9/attachment.bin
On 03/09/2018 04:16 AM, Lukas Vrabec via refpolicy wrote:
> As a maintainer of SELinux distribution policy for Fedora, I would like
> to start with rebasing SELinux modules with upstream refpolicy.
>
> Unfortunately refpolicy and fedora selinux-policy quite diverged
> during the time. Do the full rebase will be probably really messy
> action. I prefer start with smaller modules from contrib branch/repo.
>
> However I have few questions here. SELinux policy in Fedora cover more
> setups then refpolicy (contain more allow/generic rules). I'll merge
> allow rules from refpolicy which are missing in Fedora selinux-policy,
> but would you like to see allow rules from fedora selinux-policy in
> refpolicy upstream? Lot of these rules could be Fedora/RHEL specific.
> Should I start sending patches and you will decide which
> should be merged?
I have not looked at the Fedora policy in some time, so I don't know of
anything specific that would be problematic. My suggestion would be to
start with small changes in contrib that will hopefully not be contentious.
--
Chris PeBenito
On 03/09/2018 11:24 PM, Chris PeBenito wrote:
> On 03/09/2018 04:16 AM, Lukas Vrabec via refpolicy wrote:
>> As a maintainer of SELinux distribution policy for Fedora, I would like
>> to start with rebasing SELinux modules with upstream refpolicy.
>>
>> Unfortunately refpolicy and fedora selinux-policy quite diverged
>> during the time. Do the full rebase will be probably really messy
>> action. I prefer start with smaller modules from contrib branch/repo.
>>
>> However I have few questions here. SELinux policy in Fedora cover more
>> setups then refpolicy (contain more allow/generic rules). I'll merge
>> allow rules from refpolicy which are missing in Fedora selinux-policy,
>> but would you like to see allow rules from fedora selinux-policy in
>> refpolicy upstream? Lot of these rules could be Fedora/RHEL specific.
>> Should I start sending patches and you will decide which
>> should be merged?
>
> I have not looked at the Fedora policy in some time, so I don't know of
> anything specific that would be problematic.? My suggestion would be to
> start with small changes in contrib that will hopefully not be contentious.
>
Understand, I'll start with rebasing small SELinux modules.
Thanks,
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180312/470a0d9b/attachment.bin