This string of messages brings up something I wanted to get a
conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary"
the future. ( I think the future is now.)
I see three people providing policy.
I agree, as an ISV we need a way to add custom policy to support our
applications. We currently use a processed version to the policy to have
source modules until the binary modules are part of Fedora.
1. OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy
of the running service would be loaded. If we got to this state we
would need a new mechanism for restoring file context since
file_context might not meet the currently loaded policy.
2. Third Party application developers. As the use of targeted policy
has begun to take off, Third Party ISV have started to question
how they can play in this world.
Exactly, see statement above.
I see Tresys Stuff solving the problems of both of the above.
3 Local User customization and minor policies. Currently we
Along with local user policy, there needs to be local network policy
customizations as well. This is required from an MLS perspective and I would
think be useful for TE network restrictions as well.