Re: Override changes standard -> optional
On Wednesday 31 December 2008 11:32, Frans Pop <elendil@planet.nl> wrote:
> Russell Coker wrote:
> > Frans Pop wrote:
> > > Not really. SELinux is not even close to functional after a standard
> > > installation. For one thing, it gets installed *after* the initrd gets
> > > generated and the initrd does not get regenerated, so the admin has to
> > > do that manually after rebooting into the installed system.
> >
> > There is no need to regenerate an initrd in Debian.
>
> I just did a standard i386 install using the instructions on the wiki [1]
> (which BTW look to be rather outdated in several respects).
They were, I have just made some significant changes.
> I did my previous test at the time of the discussion in September and
> remember that I did need to regenerate the initrd then to get rid of some
> errors. It does seem better now.
>
> However, I still had to regenerate the initrd because of the instruction
> to add "no_static_dev="1" for udev.
Previously I hadn't realised that was possible. It's mostly a cosmetic issue.
Some daemons recursively scan /dev and generate some audit messages if you
don't do it. But there is no security issue. I have all my SE Linux
machines running without that change.
> I also feel that as long as you need to check for instructions in a wiki
> and manually edit various config files (most importantly in /etc/pam.d)
> in order to activate SELinux support that there is very little gain in
> having the packages pre-installed.
While SE Linux is disabled by default there is little benefit in having the
packages pre-installed.
The wiki instructions are not overly complex (now that I have improved them
and referenced some new code features).
http://doc.coker.com.au/computers/installing-se-linux-on-lenny/
I have simpler instructions at the above URL. They can be summarised as the
following:
apt-get install selinux-policy-default selinux-basics
selinux-activate
reboot
postfix-nochroot (optional)
selinux-config-enforcing
> P.S. Isn't selinux-basics required? It seems to be, but it was not
> priority standard...
You can run SE Linux without it, but you probably won't want to. It should
probably have the same status as selinux-policy-default.
--
russell@coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
Reply to: