Re: Override changes standard -> optional

To: debian-devel@lists.debian.org
Cc: Frans Pop <elendil@planet.nl>
Subject: Re: Override changes standard -> optional
From: Russell Coker <russell@coker.com.au>
Date: Thu, 1 Jan 2009 11:49:49 +1100
Message-id: <[🔎] 200901011149.51404.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <200812310132.28787.elendil@planet.nl>
References: <87iqp1vo2s.fsf@vorlon.ganneff.de> <200812310836.17982.russell@coker.com.au> <200812310132.28787.elendil@planet.nl>

On Wednesday 31 December 2008 11:32, Frans Pop <elendil@planet.nl> wrote:
> Russell Coker wrote:
> > Frans Pop wrote:
> > > Not really. SELinux is not even close to functional after a standard
> > > installation. For one thing, it gets installed *after* the initrd gets
> > > generated and the initrd does not get regenerated, so the admin has to
> > > do that manually after rebooting into the installed system.
> >
> > There is no need to regenerate an initrd in Debian.
>
> I just did a standard i386 install using the instructions on the wiki [1]
> (which BTW look to be rather outdated in several respects).

They were, I have just made some significant changes.

> I did my previous test at the time of the discussion in September and
> remember that I did need to regenerate the initrd then to get rid of some
> errors. It does seem better now.
>
> However, I still had to regenerate the initrd because of the instruction
> to add "no_static_dev="1" for udev.

Previously I hadn't realised that was possible.  It's mostly a cosmetic issue.  
Some daemons recursively scan /dev and generate some audit messages if you 
don't do it.  But there is no security issue.  I have all my SE Linux 
machines running without that change.

> I also feel that as long as you need to check for instructions in a wiki
> and manually edit various config files (most importantly in /etc/pam.d)
> in order to activate SELinux support that there is very little gain in
> having the packages pre-installed.

While SE Linux is disabled by default there is little benefit in having the 
packages pre-installed.

The wiki instructions are not overly complex (now that I have improved them 
and referenced some new code features).

http://doc.coker.com.au/computers/installing-se-linux-on-lenny/

I have simpler instructions at the above URL.  They can be summarised as the 
following:

apt-get install selinux-policy-default selinux-basics
selinux-activate
reboot
postfix-nochroot (optional)
selinux-config-enforcing

> P.S. Isn't selinux-basics required? It seems to be, but it was not
> priority standard...

You can run SE Linux without it, but you probably won't want to.  It should 
probably have the same status as selinux-policy-default.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

Reply to:

Follow-Ups:
- Re: Override changes standard -> optional
  - From: Frans Pop <elendil@planet.nl>

Next by Date: Re: RFC: adding pre-depends to libpam-modules for lenny
Next by thread: Re: Override changes standard -> optional
Index(es):
- Date
- Thread