Le Tue, 14 Jan 2014 03:08:47 +1100, Russell Coker <[email protected]> a écrit :
> On Mon, 13 Jan 2014 16:19:22 Laurent Bigonville wrote: > [...] > > True. But seeing a list of 400+ modules isn't helpful either. Also > the module names aren't that informative, *I* had to read the source > of some of those modules to work out what they were doing. Well having them compiled in the base.pp is even less transparent IMHO. > > When the modules are compiled in the base.pp, doesn't that mean that > > the user cannot disabled the don't audit rules? > > If you want to disable dontaudit rules you run "semodule -DB", that > works for base rules too (at least it did last time I tested, if it > doesn't it's a bug). I might be wrong here. >[...] > > > Also I'm going to promose removing some modules from upstream. > > > > Well I think that compiling all the modules doesn't really hurt. We > > have chosen to disable by default the one that are obviously not for > > debian, but install them on disk anyway. They can still be useful > > for some people. > > I don't think so. Ones that aren't for Debian can be expected not to > work without changes. Shipping broken modules doesn't seem useful. > The one that aren't obviously for debian(anaconda,...) could indeed be dropped. But there are some other that are a bit more on the edge that should maybe stay. If you are not shipping them, we'll never receive any bug reports for them. Some kind of chicken-egg problem I guess. _______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
