I think we're getting pretty far OT from the original thread here. I'd prefer to discuss this further in a separate thread after the release of Lenny. I also still feel there should be a debian-selinux mailing list, probably targeted at both DDs and users. Would you care to take the lead on that and request one? Russell Coker wrote: > On Thursday 01 January 2009 13:55, Frans Pop <elendil@planet.nl> wrote: > So if the user typed "install selinux=1" from the installer then the > install kernel would have SE Linux enabled, and querying /proc/cmdline > for selinux=1 could be used for later stages of installation to > determine whether SE Linux was desired. That would be one way to implement it. I'm also working on a feature for the installer that allows to change "installation settings" which could also result in a redefinition of what happens during expert installs. If that gets integrated enabling selinux (both in permissive and active mode) could also become one of the available settings in expert mode. Yet another option would be as a task, but I expect that's really too late in the installation process (which also means that having the packages priority standard gets them installed too late!). > Then if SE Linux was enabled we could load the policy at a suitable time > during the installation process and have all the files correctly > labelled at the first boot. AFAICT implementing that is not quite as simple as you make it sound, but I agree it should be possible. > [...], but means that we need to install the modules before installing > packages (as opposed to the alternatives which are all ugly). This is one things that need to be worked out as it has consequences for the exact point during the installation where SELinux would need to be installed. Could be after base system installation, but could also be earlier: straight after debootstrap. > Can we have an extension to APT to make it call a script before it > installs a set of packages? apt and dpkg have a few options to hook in scripts (used e.g. by apt-listchanges and apt-listbugs), but no idea if existing hooks would work for you. Another thing to investigate in more detail. >> However, I also don't yet see SELinux becoming a standard service on >> all Debian systems. It's just too complex a framework for that. > > "Yet" being the relevant word. Maybe. IMO Debian is by nature a distro which does not force things on users, but expects them to be able to select and install the things they need. That selection moment can be during system installation of course. > I've been working on this for more than 7 years and it just keeps > getting better. In time I think that I will get you and the other > members of the Debian Installer team to agree with me. Well, I can only say that I've been very disappointed at the support and progress of SELinux in Debian during the first 3/4 of Etch' lifetime, despite all the promises made before the release of Etch. Only when Lenny was almost frozen did any real work on it start. I really hope that aspect will be better for Lenny. > NB I would be happy with a single question being asked of the user "Do > you want SE Linux?" with "yes" and "no" being menu options. I think we'd prefer to avoid a separate question that would be displayed by default in the normal flow of an installation. But as mentioned above there are other, less "invasive" options. Cheers, FJP
Attachment:
signature.asc
Description: This is a digitally signed message part.