[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Override changes standard -> optional

On Wednesday 31 December 2008 11:32, Frans Pop <elendil@planet.nl> wrote:
> Russell Coker wrote:
> > Frans Pop wrote:
> > > Not really. SELinux is not even close to functional after a standard
> > > installation. For one thing, it gets installed *after* the initrd gets
> > > generated and the initrd does not get regenerated, so the admin has to
> > > do that manually after rebooting into the installed system.
> >
> > There is no need to regenerate an initrd in Debian.
> I just did a standard i386 install using the instructions on the wiki [1]
> (which BTW look to be rather outdated in several respects).

They were, I have just made some significant changes.

> I did my previous test at the time of the discussion in September and
> remember that I did need to regenerate the initrd then to get rid of some
> errors. It does seem better now.
> However, I still had to regenerate the initrd because of the instruction
> to add "no_static_dev="1" for udev.

Previously I hadn't realised that was possible.  It's mostly a cosmetic issue.  
Some daemons recursively scan /dev and generate some audit messages if you 
don't do it.  But there is no security issue.  I have all my SE Linux 
machines running without that change.

> I also feel that as long as you need to check for instructions in a wiki
> and manually edit various config files (most importantly in /etc/pam.d)
> in order to activate SELinux support that there is very little gain in
> having the packages pre-installed.

While SE Linux is disabled by default there is little benefit in having the 
packages pre-installed.

The wiki instructions are not overly complex (now that I have improved them 
and referenced some new code features).


I have simpler instructions at the above URL.  They can be summarised as the 

apt-get install selinux-policy-default selinux-basics
postfix-nochroot (optional)

> P.S. Isn't selinux-basics required? It seems to be, but it was not
> priority standard...

You can run SE Linux without it, but you probably won't want to.  It should 
probably have the same status as selinux-policy-default.

http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

Reply to: