[refpolicy] ANN: Reference Policy contrib repository

Christopher J. PeBenito cpebenito at tresys.com
Fri Sep 9 11:17:03 CDT 2011

On 09/09/11 11:58, Robert Lee wrote:
> Will this change affect the overall quality of the reference policy from
> a security/vetting standpoint?

I don't expect it to.  The expectation of the committers is the same as it is for me.  I'll still be looking through commits being made, and the committers should be looking at each other's commits too.  Additionally, the way git submodules work (the same as svn externals, if you're familiar) means that the main Reference Policy repo will pin a particular revision of the contrib repo, so you should always get a known good state, not necessarily the current contrib repo state.  Additionally, changes to the contrib modules are normally less/non controversial, since they're generally the best understood applications (eg apache, samba, etc).

> On Fri, 2011-09-09 at 11:35 -0400, Christopher J. PeBenito wrote:
>> The challenge of Reference Policy has always been balancing the needs of having a well reviewed policy against responding to fairly rapid application development and new user needs in Linux.  If you are not familiar with the differences between the Reference Policy and Fedora policy, it is quite large.  Since Fedora is the largest SELinux-enabled distribution, its development version, rawhide, is on the front lines of seeing new features in apps.  Due to Dan and Miroslav's extensive work, the Fedora policy evolves rapidly.  However, this has proven to be too fast for me to constantly review all the changes and integrate them upstream, resulting in the huge difference between the two policies.
>> To ameliorate this situation, additional contributors with commit access have been added for Reference Policy.  To be specific, a large amount of the policy has been moved into a contrib layer (a git submodule), where these contributors may commit.  The core policy modules will remain in the primary Reference Policy repository, for which I remain the maintainer.  Due to its nature, the contrib repository will be faster moving and less reviewed than the core Reference Policy repository.
>> The core modules are critical modules on the system.  This includes all of the kernel layer, most of the system and roles layers, some admin modules, such as bootloader, su, and sudo, and userspace object managers.  It is possible to build a policy using only the core modules.  It is important to ensure these modules are well reviewed to ensure quality, so Reference Policy can be used as a base for both general-purpose systems (e.g. Linux distributions) and custom systems.  All remaining modules were moved to the contrib repository.  An important thing to note is that in the future, modules may move between core and contrib as necessary.
>> For those that have a current checkout of the repository, you will need to do the following to get the new contrib submodule:
>> $ git pull
>> $ git submodule init
>> $ git submodule update
>> If you are looking to check out the repository for the first time, the instructions are at:
>> http://oss.tresys.com/projects/refpolicy/wiki/RepositoryCheckout

Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list