[refpolicy] Changing build.conf defaults?
Christopher J. PeBenito
cpebenito at tresys.com
Fri Feb 19 12:43:06 CST 2010
On Fri, 2010-02-19 at 02:34 -0800, Justin P. Mattock wrote:
> On Fri, 2010-02-19 at 13:25 -0500, Christopher J. PeBenito wrote:
> > On Fri, 2010-02-19 at 13:00 -0500, Stephen Smalley wrote:
> > > I was wondering whether it would make sense to change the refpolicy
> > > build.conf defaults to more closely reflect the actual settings in use
> > > in modern distributions. In particular, I was thinking that we are long
> > > past the point where it makes sense to make MONOLITHIC=n the default
> > > given that:
> > > - all modern distros with SELinux use modular/managed policy, and
> > > - semodule, semanage, and even setsebool -P will only work if using
> > > modular/managed policy these days.
> > >
> > > Changing the default would eliminate at least one case of common user
> > > error when building from upstream refpolicy on a modern distribution.
> > >
> > > Any objections to changing that default upstream?
> > I don't. But I'll wait for a while before changing it to see if anyone
> > objects.
> no objections here.
> building a binary policy is easier
> than monolithic(especially in a distro environment).
> i.g. no need for the source to add user/login
> just semanage.
One thing that I had always hoped was that semanage_expand would be able
to output all of the necessary files, so that a monolithic build in
refpolicy would just be a superset of modular build. In other words, a
monolithic refpolicy build would build a modular policy then link and
expand the modules. Then a lot of the makefile complexity could be
dropped. However, semodule_expand doesn't output file_contexts, at a
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy