[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should selinux be standard?

Sorry for the delay in replying, you forgot to CC me...

On Tuesday 16 September 2008 22:12, Josselin Mouette <joss@debian.org> wrote:
> Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit :
> > For a typical desktop system (such as my EeePC) a default installation of
> > SE Linux in Lenny works for most things.
> What do you mean by "most things"? What is not working?

The things that are not likely to be security problems will work well.

> > If you add the packages from my
> > repository (see the above URL) then mplayer also works in a default
> > configuration.
> Mplayer? That’s one application. Do all applications that are part of
> the default setup work as expected? How many of them do not work without
> using an external repository?

The problem with mplayer is that it depends on libraries written and packaged 
by people who are more concerned about a possible 15% performance increase 
than a proven security risk.

There is a SE Linux boolean that you can set to enable execmod access, reduce 
the security of your system, and get a performance benefit for some 

> Is SELinux working out of the box? From your blog entries, I have the
> strong feeling that it is not the case.

Why don't you test it?  I've documented how to enable it, it's really not 

> If the answer to this question is "yes", what is the reason for not
> enabling it by default?

I think that we should enable it by default as Fedora did years ago.  But I 
think it's too late to do that now (and was too late on the 16th of Sep).

http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

Reply to: