Re: Bug#390760: debian-installer: Support targeted SELinux in the installer
On Tue, 03 Oct 2006 15:44:55 +0200, Frans Pop <elendil@planet.nl> said:
> On Tuesday 03 October 2006 01:08, Otavio Salvador wrote:
>> Manoj Srivastava <srivasta@debian.org> writes:
>> > We are at a point where we can support a targeted SELinux
>> > policy, at least in permissive mode, I suggest that we ship
>> > SELinux installed, but turned off by default; and a README or a
>> > short shell script fr the local administrator to enable
>> > SELinux. Our support at this point is better in some respects to
>> > any other distribution (selecting and installing modular policy
>> > modules, for instance). All the core packages support SELinux
>> > (unlike in, say, Ubuntu).
>>
>> What about we add it as a task on tasksel and make grub-installer
>> enable it in case of the task is selected?
> On IRC yesterday Manoj was very clear that this is _not_ what we
> want at this point. The main reason AIUI is that enabling it without
> checking the setup first may break applications as we don't yet have
> perfect policies for a lot of important packages.
> Enabling selinux will require some manual changes by the user. Where
> documentation can be found how to enable it should be documented in
> the Etch Release Notes.
This is exactly right. Erich had a short write up on his blog
about how to enable SELinux, and it involved relabelling the file
system and two reboots :)
We are trying to be SELinux capable, but stopping short of
enabling SElinux by default; that could be a goal for Etch + 1.
manoj
--
If you're right 90% of the time, why quibble about the remaining 3%?
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: