SE Linux in Etch - was Release sarge now, or discuss etch issues?

To: debian-devel@lists.debian.org
Subject: SE Linux in Etch - was Release sarge now, or discuss etch issues?
From: Russell Coker <russell@coker.com.au>
Date: Wed, 20 Apr 2005 10:13:54 +1000
Message-id: <[🔎] 200504201013.57300.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <20050314223244.GC17365@kitenet.net>
References: <20050314044505.GA5157@mauritius.dodds.net> <87zmx6uiwz.fsf_-_@alhambra.kuesterei.ch> <20050314223244.GC17365@kitenet.net>

On Tuesday 15 March 2005 09:32, Joey Hess <joeyh@debian.org> wrote:
> The fact that the release team now sees the light at the end of the
> tunnel for the release of sarge means that now is the time we need to
> begin planning for etch. Allowing unstable development to pick back up
> after a release with no clear plan for the next release has been shown
> time and time again to delay the next release by one to two *years*.
> The rest follows from that.

Currently we plan to have libselinux in base for Etch.  SE Linux code is in 
cron and logrotate which can be simply recompiled for full SE support.  Fcron 
already is compiled with SE Linux support.  The maintainer of sysvinit has 
agreed in concept to compile with SE support once libselinux is in base.

We can basically make SE Linux usable by most people with a small amount of 
work once the above changes are made.

I would like to see a general goal for Etch to have SE Linux as an option at 
install time.  The installer needs to ask two questions of the user:

Do you want SE Linux?  (yes/no/permissive mode - default no)
Which policy do you want?  (strict/targeted - default strict)

If SE Linux is to be installed then the selected policy package has to be 
installed, that package will have dependencies for all required utility 
packages.

If permissive mode is selected then a simple command will be run to change the 
configuration of SE Linux appropriately.

My general idea at this time is to have the kernel used for running the 
installer not supporting SE Linux to save disk space for the boot loader.  
There is no requirement that a SE Linux kernel be used to install SE Linux.

Note that we may not have SE Linux support for all file system types supported 
for the root file system (ReiserFS has only just got support).  Ideally the 
installer would know about this and not permit the combination of SE Linux 
and a file system that doesn't have proper XATTR support.  But if the 
installer doesn't know about it then someone who chooses SE Linux would just 
have to know which file system types that they can use.  Ext3 and XFS are the 
main file systems that people want to use and they work well with SE Linux.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: SE Linux in Etch - was Release sarge now, or discuss etch issues?
  - From: Manoj Srivastava <srivasta@debian.org (va, manoj)>

Prev by Date: Re: Bug#305287: ITP: slony1 -- Slony-I is a "master to multiple slaves" replication system with cascading and failover.
Next by Date: Re: Bug#305287: ITP: slony1 -- Slony-I is a "master to multiple slaves" replication system with cascading and failover.
Previous by thread: Bug#305421: ITP: libtemplate-plugin-yaml-perl -- simple Template Toolkit Plugin Interface to the YAML module
Next by thread: Re: SE Linux in Etch - was Release sarge now, or discuss etch issues?
Index(es):
- Date
- Thread