Using Arch for SELinux-Policy management

A few notes

Well, as you can see, this is not complete yet. If you have any question, feel free to ask.

What is arch?

Arch is a distributed Version Control System; in my opinion, it is the best free SCM-solution available currently. The best way to get an initial overview over Arch is to visit the GNU-Arch-Wiki which is evolving at a high pace.

General Ideas, Workflow

I currently use Arch to manage the policy on my local workstation and plan to use it for a whole network of Linux-Clients. There are many ways to use Arch, I just describe one way which I found convenient for me.

On every computer, I have a local archive (under /root/arch/selinux/). This archive is used to hold local changes. If I want to integrate changes from the main policy, I star-merge from, correct possible conflicts and commit to my local archive.

Setting everything up

# do the following as root:

# set your user identity. This is used eg for log messages
tla my-id "Joe Admin (root) <>"

# register-archive connects the archive-name with a location on the net
tla register-archive

# make-archive creates a new archive: the first parameter gives the 
# name of your archive, which should be your email-Address followed by 
# two dashes followed by an identifier.
# the second parameter gives the location of your archive. You will 
# never have to work directly in this directory; you can choose it arbitrarily.
tla make-archive /root/arch/selinux

tla my-default-archive

# branch policy--snapshot--0 into your local archive
tla tag -S policy--default--0

# make /etc/selinux a working copy of your archive
tla get policy--default--0 /etc/selinux


Most often you will just want to bring your archive in sync with the latest policy from CVS. This is done by a simple

cd /etc/selinux
tla star-merge
# to view the changes:
tla what-changed --diffs | less
# ... possibly change something, correct rejects
tla commit -L 'resync with CVS'

Back to the SELinux-Pages