Re: The possibility of SELinux targeted policy in the default install
On Thu, 14 Sep 2006 23:11:10 +0200, Frans Pop <elendil@planet.nl> said:
> On Thursday 14 September 2006 22:02, Joey Hess wrote:
>> Manoj Srivastava wrote:
>> > The size of the .debs for targeted policy is 2185702
>> > Bytes.
>> I don't have any real problem with adding 2 mb more to standard. A
>> tasksel task could be done if there's some reason not to add it to
>> standard.
> Having it separate would allow people who know they don't want it to
> deselect it.
> Promoting selinux to standard is probably a post-Etch issue anyway
> as there is currently very little feedback and AIUI quite a bit of
> tuning is needed yet.
If you say enabling SELinux by default, like fedora ships it I
agree it is a post-Etch task. And most of the tweaking is for strict
policy; which is not what is being proposed here. I imagine there
would eb a short document on how to enable targeted policy:
1) Edit /etc/init.d/{login,ssh} to uncommend/add one line
2) Edit /boot/grub/menu.lst to enable selinux on the command line;
update-grub
3) run two setfiles commands
4) reboot, and you are done
I think we are pretty much go for targeted, or shall be in a
short while (I am am in the process of making my guest machine a
targeted policy box); after all, fedora and gento folk say targeted
works out of the box for them, and so what we still have is adding
debian tweaks.
Now, people who don't want them can also remove the selinux
policy package anytime as well.
I think it is a good idea to lower the barrier for entry to be
running SELinux, but I might be biased.
manoj
--
God help the troubadour who tries to be a star. The more that you try
to find success, the more that you will fail. -- Phil Ochs, on the
Second System Effect
Manoj Srivastava <manoj.srivastava@stdc.com> <srivasta@acm.org>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: