[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Making SELinux standard for etch

On Fri, Oct 06, 2006 at 05:35:32PM -0500, Manoj Srivastava wrote:
>         As shipped, the Debian kernel images have SELinux compiled in,
>  but disabled, a command line parameter is required to turn SELinux
>  on. When SELinux is turned on (by enabling it in grub), the default
>  policy setting are that the machine would come on in permissive mode,
>  using the targeted policy; so the worst case scenario is that the
>  there would be lots of log messages if someone "accidentally" turned
>  on SELinux.
>         I think we are ready.  And shipping SELinux by default would
>  be a positive thing, in these days of accelerating attacks :)

Just a heads up... this won't be making it in to etch, but Xorg upstream
just integrated a new security infrastrucuture in to the X server which is
designed to handle, among other things, SELinux policies. The feature is
named 'XACE' and will ship with 7.2. We'll be shipping 7.1 with etch, but
this is something we should exploit when 7.2 hits unstable.

 - David "I know nothing about SELinux" Nusinow

Reply to: