[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should selinux be standard?

Martin Michlmayr wrote:
> I'd like to ask whether selinux should really be installed by default.
> On the Linksys NSLU2, a very popular device with only 32 MB of RAM,
> installing selinux-policy-default takes at least half an hour (with
> heavy swapping) or possibly even more.  This is a major regression
> from the installer experience of etch.  A bug about this problem was
> filed about 3 weeks ago (#495786) but there was no response from the
> maintainer at all.

Although I agree with your basic question, I do wonder how it can be a 
regression from Etch as selinux was also "priority standard" for Etch.
It was my impression that selinux installation had become faster recently 
after Russell reworked the packaging, at least on x86.

The reason it was made priority standard not long before the release of 
Etch was because Manoj wanted to see if having it installed by default 
would promote more general adoption and actual use of SeLinux.
Unfortunately the actual thing that happened was that SeLinux has 
essentially been unmaintained for most of Lenny's development cycle, that 
the promised support was completely absent.
SeLinux packaging has only very recently been revived when Russell stepped 
in (with major improvements from what I've seen).

I think Etch has shown that merely having SeLinux standard does _not_ 
promote its wider use. I would also argue that people who actually want 
to use SeLinux will also know how to install it afterwards.

I also feel that SeLinux is not sufficiently tuned for Debian. I don't 
know what the exact current status is and what has changed since Russell 
stepped in, but when I tried it last year a lot of additional tuning was 
needed to get for example normal package upgrades to run cleanly.

And finally, I too have frequently been annoyed at the taken by SeLinux 
installation during installation tests. Especially on slower hardware or 
in emulators it can be quite painful.

For those reasons I support the suggestion to change the priority of 
SeLinux back to optional.
We can always discuss returning it to priority standard if/when SeLinux is 
really ready to be not only installed by default, but also activated by 
default. And even then I can see it being implemented as a "secure 
system" task in tasksel or as a separate debconf question during 
installation rather than by raising priority to standard.

Note that I did bring up this question earlier, at that point primarily 
because of its maintenance status [1].


[1] http://lists.debian.org/debian-devel/2008/02/msg00223.html

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: