[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should selinux be standard?

On Sunday 14 September 2008 20:40, Frans Pop <elendil@planet.nl> wrote:
> Although I agree with your basic question, I do wonder how it can be a
> regression from Etch as selinux was also "priority standard" for Etch.
> It was my impression that selinux installation had become faster recently
> after Russell reworked the packaging, at least on x86.

I changed the postinst such that instead of running semodule ~24 times it 
would run it twice.  The next version of the policy packages will run it once 
(for an incremental benefit - nothing like the benefit of going from ~24 to 

> The reason it was made priority standard not long before the release of
> Etch was because Manoj wanted to see if having it installed by default
> would promote more general adoption and actual use of SeLinux.
> Unfortunately the actual thing that happened was that SeLinux has
> essentially been unmaintained for most of Lenny's development cycle, that
> the promised support was completely absent.
> SeLinux packaging has only very recently been revived when Russell stepped
> in (with major improvements from what I've seen).

Now Manoj is actively working on it too.  Things are starting to work pretty 


For a typical desktop system (such as my EeePC) a default installation of SE 
Linux in Lenny works for most things.  If you add the packages from my 
repository (see the above URL) then mplayer also works in a default 

> I also feel that SeLinux is not sufficiently tuned for Debian. I don't
> know what the exact current status is and what has changed since Russell
> stepped in, but when I tried it last year a lot of additional tuning was
> needed to get for example normal package upgrades to run cleanly.

Things have changed a lot since then.  Please try installing SE Linux now and 
you will find everything a lot easier.

> And finally, I too have frequently been annoyed at the taken by SeLinux
> installation during installation tests. Especially on slower hardware or
> in emulators it can be quite painful.


Pages such as the above document that you can pass "selinux=0" as a parameter 
to the Fedora installation kernel to not have SE Linux enabled.  Would it be 
possible to have the Debian installer look for "selinux=0" on the kernel 
command-line and then not install the SE Linux packages?

> For those reasons I support the suggestion to change the priority of
> SeLinux back to optional.
> We can always discuss returning it to priority standard if/when SeLinux is
> really ready to be not only installed by default, but also activated by
> default. And even then I can see it being implemented as a "secure
> system" task in tasksel or as a separate debconf question during
> installation rather than by raising priority to standard.
> Note that I did bring up this question earlier, at that point primarily
> because of its maintenance status [1].

Yes, unfortunately I had been lacking time to work on it for a while.  Now 
I've got more time and things are working well.

http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

Reply to: