Re: Should selinux be standard?
Sorry for the delay in replying, you forgot to CC me...
On Tuesday 16 September 2008 22:12, Josselin Mouette <joss@debian.org> wrote:
> Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit :
> > For a typical desktop system (such as my EeePC) a default installation of
> > SE Linux in Lenny works for most things.
>
> What do you mean by "most things"? What is not working?
The things that are not likely to be security problems will work well.
> > If you add the packages from my
> > repository (see the above URL) then mplayer also works in a default
> > configuration.
>
> Mplayer? That’s one application. Do all applications that are part of
> the default setup work as expected? How many of them do not work without
> using an external repository?
The problem with mplayer is that it depends on libraries written and packaged
by people who are more concerned about a possible 15% performance increase
than a proven security risk.
There is a SE Linux boolean that you can set to enable execmod access, reduce
the security of your system, and get a performance benefit for some
operations.
> Is SELinux working out of the box? From your blog entries, I have the
> strong feeling that it is not the case.
Why don't you test it? I've documented how to enable it, it's really not
difficult.
> If the answer to this question is "yes", what is the reason for not
> enabling it by default?
I think that we should enable it by default as Fedora did years ago. But I
think it's too late to do that now (and was too late on the 16th of Sep).
--
russell@coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Reply to: