Re: [RFC] Changing priority of selinux back to optional

[Manoj Srivastava <srivasta@debian.org>]

On Tue, 5 Feb 2008 23:19:14 +0100, Frans Pop <elendil@planet.nl> said: 

> The priority of selinux packages was changed from optional to
> standard, fairly shortly before the release of Etch.

> I propose to revert that change before Lenny. The basic reason is that
> the selinux packages have basically been unmaintained since the
> release of Etch. Because of that current SeLinux just cannot be
> expected to work.

        While this is mostly true (I have been swamped in real life
 work), I do expect tha to change this spring (indeed, most of the
 SELinux packages are now sitting in incoming -- happy happenstance)

> An additional reason is that the installation of selinux packages adds
> significantly to the size of the base system and accounts for a
> significant part of the time it takes to install the "standard" task,
> especially on slower architectures. This would be OK if there were
> real benefits in having SeLinux, but ATM that benefit is just not
> there.

        I am not sure I agree. SELinux is working for me in production
 on  Lenny/Sid machines; 

> Packages (both tools and policy packages) currently available in
> unstable and testing are seriously outdated when compared with their
> upstream versions. This also means that, with the soft freeze for
> Lenny starting fairly soon, that there is little time left to
> substantially improve the SeLinux support in Debian, which was one of
> the arguments for making it standard in the first place.

        Err, I think you are making far too much of the amount of effort
 required.  While we are a few minor version behind; updating it was a
 days effort -- apart from policy, which I'll get to tomorrow.

        So I am not sure we are in dire straits, but y'all will have to
 make that decision.

> Some facts.

> Package etch lenny/sid upstream policycoreutils 1.32-3 2.0.16-1 2.0.42
> (?)  setools 2.4-3 2.4-3 3.3.2 refpolicy 0.0.20070507-5 0.0.20070507-5
> 20071214 libsepol 1.14-2 2.0.3-1 2.0.20 (?)  libselinux 1.32-3
> 2.0.15-2 2.0.50 (?)

> None of the packages in Debian has been updated since June/July 2006.

        That is indeed true.  It is also nmo longer the case, but I
 can't excuse the fact that I have been very busy.

> There are also some longstanding bugs, including fairly simple
> packaging errors in Etch, none of which have been addressed. Examples:
> - #440474: chcat: syntax errors
> - #405975: semodule_deps and semodule have alignment issues
> - #427906: postinst: policy package name to deb name, lacks glob
>   #support
> - #438604: selinux-basics: Invalid test for dynamic motd updating
> - #438706: selinux-doc: Error in doc-base definition
> - #438887: refpolicy: Spurious "+" causes warnings when building
>   #modules

> None of these bugs has seen any reaction from the package maintainers.

        Mostly fixed.

        manoj
-- 
Excess of grief for the deceased is madness; for it is an injury to the
living, and the dead know it not.  -- Xenophon
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C