Re: The possibility of SELinux targeted policy in the default install
Hi Manoj, Russell, Debian-Boot,
Thinking some more about it, I have large doubts that we'll have a
somewhat working SELinux out of the box with etch. There is still quite
some stuff we would need to do some auto setup magic (or at least
convince the maintainers).
For example both /etc/pam.d/login and /etc/pam.d/ssh need to be
modified. The modification in ssh is in, just needs to be uncommented. I
think Uwe just contacted the shadow maintainers about the login change.
I don't know at which cost we could have them uncommented in both; but
for SELinux to work out of the box we would need that.
We would also need to relabel the filesystem post installation, i.e. at
the end of the installer run, so the new system could be booted with the
policy in place and subsequent installations will already use the
And there are lots of other things I have doubts we'll be a able to sort
out soon enough.
For example files created by postinst scripts. File installed by dpkg
should automatically be labeled correctly due to patches in dpkg (IIRC).
But this doesn't apply to things happening in postinst scripts.
So we DO need a selinux enabled installed ASAP to track these down, but
I'm not convinced we'll be able to do so in time for etch to provide
selinux installations to everybody.
And if we don't manage proper SELinux installations within
debian-installer, it's probably better to work some more on the
selinux-basics package, and try to make it a "selinuxify" package, which
will assist you in enabling selinux. Actually there is already some code
in selinux-basics (it's just not used yet), that can for example disable
chroots in postfix. this could be extended to changes such
as /etc/pam.d/login and some /etc/default/* changes.
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Großen Herren und schönen Frauen V_/_
Soll man gern dienen, wenig trauen. --- Georg Rollenhagen