- can the reasons for %defattr 755 be explained?
- No, it was a leftover from selinux-policy.spec and will be removed
- what if one package aims foo-selinux wants to generate foo-selinux-targeted and foo-selinux-mls? (e.g. see copr-selinux) answer: all the %selinux_* macros provide -s option
- There would be two new .tars and most changes to the spec file would appear twice (once for each package).
- The naming convention is up to the maintainer. It would probably be best to use "foo-selinux" for the "targeted" policy and "foo-selinux-mls" for "mls"
- shouldn't we move %selinux_relabel_post to %post (instead of %posttrans) or move the %selinux_relabel_pre into %pretrans? The former is much more flexible, but probably a lot less optimal.
- The selinux_relabel_pre macro takes effect only once per transaction (the first package to use it copies current file_contexts file)
- This is why selinux_relabel_post is called in posttrans (it evaluates all policy changes in the transaction and relabels files accordingly)
- should packages Recommend/Require the 'foo-selinux' packages? (consider selinux is enforcing, and people install foo-bar package, but forgot to install foo-selinux), edit: I do think that we should use
Requires: (foo-selinux-targeted if selinux-policy-targeted), WDYT?
- Yes, they should. We already started using the rich dependency syntax in one package to test it properly. I'll add it into the guidelines
- can anyone from selinux team review this POC https://pagure.io/copr/copr/pull-request/301 (no matter when)
- I created a ticket for it in our Jira (it will be assigned during our next planning meeting) https://projects.engineering.redhat.com/browse/SELINUX-1434
policy to sync with global selinux policy?
- do we have to maintain all the
.fcpaths, also related to e.g. debian (as is done in selinux-policy-targeted)
- Not sure if I understand the question, but the .fc file is necessary because it completely overrides the .fc contained in selinux-policy-targeted
- if something changes in say mysql-selinux, do we have to backport it to selinux-policy-targeted upstream?
- changes should be backported to selinux-policy-targeted
- should we maintain paths for SCLs? Or should each SCL have it's own '*-selinux' package with custom paths?
- each SCL should have it's own *-selinux package with files stored in the selinux store (/var/lib/selinux)
- should there be e.g. separated policy for mariadb vs. mysql?
- this is a special case and should be consulted with the SELinux team (in this case there would probably be a shared database-selinux package)