On 05. 09. 21 15:29, Sam Varshavchik
wrote:
The problem isn't the technical details of how to package an
SELinux policy with the packge.
The problem is the domain knowledge needed to write that SELinux
policy in the first place. It's siloed mostly in the selinux
package itself. I assert that the documentation above is not going
to be useful to 95% of the package maintainers. A few of them will
know how to write a policy, and then follow the above wiki. The
rest will not. Prove me wrong.
I posted this link before:
https://raw.githubusercontent.com/svarshavchik/libcxx/master/packaging/fedora/libcxx.te
Where is the documentation that explains /all/ of the above, and
what it means? I wrote that policy, of course, but even now, just
a short time later, I can't for the life of me tell you where all
that documentation is. Because there isn't, I had to figure out
based on scraps of other selinux policies that I looked at, and
based on my experience with other stuff that did NOT involve
SELinux.
You will not find any documentation that explains /all/ of that on
https://selinuxproject.org
And at most 5% of the above is explained in
https://selinuxproject.org/page/RefpolicyWriteModule
And until the state of the world is such that SELinux is not a
siloed domain, that it's amply documented, and package maintainers
have documentation that they can use to write their own policy,
for the package that they fully understand and support, SELinux
will continue to break random stuff, over and over again.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure