Re: Should selinux be standard?
On Sunday 14 September 2008 20:40, Frans Pop <firstname.lastname@example.org> wrote:
> Although I agree with your basic question, I do wonder how it can be a
> regression from Etch as selinux was also "priority standard" for Etch.
> It was my impression that selinux installation had become faster recently
> after Russell reworked the packaging, at least on x86.
I changed the postinst such that instead of running semodule ~24 times it
would run it twice. The next version of the policy packages will run it once
(for an incremental benefit - nothing like the benefit of going from ~24 to
> The reason it was made priority standard not long before the release of
> Etch was because Manoj wanted to see if having it installed by default
> would promote more general adoption and actual use of SeLinux.
> Unfortunately the actual thing that happened was that SeLinux has
> essentially been unmaintained for most of Lenny's development cycle, that
> the promised support was completely absent.
> SeLinux packaging has only very recently been revived when Russell stepped
> in (with major improvements from what I've seen).
Now Manoj is actively working on it too. Things are starting to work pretty
For a typical desktop system (such as my EeePC) a default installation of SE
Linux in Lenny works for most things. If you add the packages from my
repository (see the above URL) then mplayer also works in a default
> I also feel that SeLinux is not sufficiently tuned for Debian. I don't
> know what the exact current status is and what has changed since Russell
> stepped in, but when I tried it last year a lot of additional tuning was
> needed to get for example normal package upgrades to run cleanly.
Things have changed a lot since then. Please try installing SE Linux now and
you will find everything a lot easier.
> And finally, I too have frequently been annoyed at the taken by SeLinux
> installation during installation tests. Especially on slower hardware or
> in emulators it can be quite painful.
Pages such as the above document that you can pass "selinux=0" as a parameter
to the Fedora installation kernel to not have SE Linux enabled. Would it be
possible to have the Debian installer look for "selinux=0" on the kernel
command-line and then not install the SE Linux packages?
> For those reasons I support the suggestion to change the priority of
> SeLinux back to optional.
> We can always discuss returning it to priority standard if/when SeLinux is
> really ready to be not only installed by default, but also activated by
> default. And even then I can see it being implemented as a "secure
> system" task in tasksel or as a separate debconf question during
> installation rather than by raising priority to standard.
> Note that I did bring up this question earlier, at that point primarily
> because of its maintenance status .
Yes, unfortunately I had been lacking time to work on it for a while. Now
I've got more time and things are working well.
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development