From Fedora Project Wiki
(typos)
(POC review request)
Line 6: Line 6:
 
* shouldn't we move %selinux_relabel_post to %post (instead of %posttrans) or move the %selinux_relabel_pre into %pretrans?  The former is much more flexible, but probably a lot less optimal.
 
* shouldn't we move %selinux_relabel_post to %post (instead of %posttrans) or move the %selinux_relabel_pre into %pretrans?  The former is much more flexible, but probably a lot less optimal.
 
* should packages Recommend/Require the 'foo-selinux' packages? (consider selinux is enforcing, and people install foo-bar package, but forgot to install foo-selinux), edit: I do think that we should use `Requires: (foo-selinux-targeted if selinux-policy-targeted)`, WDYT?
 
* should packages Recommend/Require the 'foo-selinux' packages? (consider selinux is enforcing, and people install foo-bar package, but forgot to install foo-selinux), edit: I do think that we should use `Requires: (foo-selinux-targeted if selinux-policy-targeted)`, WDYT?
 +
* can anyone from selinux team review this POC https://pagure.io/copr/copr/pull-request/301 (no matter when)
  
 
== policy to sync with global selinux policy? ==
 
== policy to sync with global selinux policy? ==

Revision as of 13:39, 25 September 2018

general questions

  • can the reasons for %defattr 755 be explained?
  • what if one package aims foo-selinux wants to generate foo-selinux-targeted and foo-selinux-mls? (e.g. see copr-selinux) answer: all the %selinux_* macros provide -s option
  • shouldn't we move %selinux_relabel_post to %post (instead of %posttrans) or move the %selinux_relabel_pre into %pretrans? The former is much more flexible, but probably a lot less optimal.
  • should packages Recommend/Require the 'foo-selinux' packages? (consider selinux is enforcing, and people install foo-bar package, but forgot to install foo-selinux), edit: I do think that we should use Requires: (foo-selinux-targeted if selinux-policy-targeted), WDYT?
  • can anyone from selinux team review this POC https://pagure.io/copr/copr/pull-request/301 (no matter when)

policy to sync with global selinux policy?

  • do we have to maintain all the .fc paths, also related to e.g. debian (as is done in selinux-policy-targeted)
  • if something changes in say mysql-selinux, do we have to backport it to selinux-policy-targeted upstream?
  • should we maintain paths for SCLs? Or should each SCL have it's own '*-selinux' package with custom paths?
  • should there be e.g. separated policy for mariadb vs. mysql?