SE Linux in Etch

To: debian-release@lists.debian.org
Cc: ftpmaster@debian.org
Subject: SE Linux in Etch
From: Manoj Srivastava <srivasta@ieee.org>
Date: Sun, 15 Oct 2006 00:56:50 -0500
Message-id: <[🔎] 87odseceal.fsf@glaurung.internal.golden-gryphon.com>

Hi,

        As per Bug#390760We are at a point where we can support a
 targeted SELinux policy, at least in permissive mode, I suggest that
 we ship SELinux installed, but turned off by default; and a README or
 a short shell script fr the local administrator to enable
 SELinux. Our support at this point is better in some respects to any
 other distribution (selecting and installing modular policy modules,
 for instance). All the core packages support SELinux (unlike in, say,
 Ubuntu).

        We can do this by adding selinux-policy-refpolicy-targeted,
 and the dependencies, to the installer.

        With the help of
  apt-rdepends --dotty selinux-policy-refpolicy-targeted
 I have managed to determine that the packages not already included in
 Priority Standard are:
,----[ Additional packages required ]
| Package: selinux-policy-refpolicy-targeted
| Size: 1232692
| Installed-Size: 16712
|
| Package: policycoreutils
| Size: 348324
| Installed-Size: 3304
|
| Package: libsemanage1-dev
| Size: 333718
| Installed-Size: 2076
|
| Package: libsemanage1
| Size: 70910
| Installed-Size: 296
|
| Package: python-semanage
| Size: 115336
| Installed-Size: 648
|
| Package: python-selinux
| Size: 61788
| Installed-Size: 308
|
| Package: python-support
| Size: 22934
| Installed-Size: 104
`----

        The size of the .debs for targeted policy is 2185702
 Bytes. This has been discussed on the debian-installer list, as well
 as in the bug log, and the decision was to make these 77 packages
 standard, if possible. See:
http://lists.debian.org/debian-boot/2006/10/msg00120.html
http://lists.debian.org/debian-boot/2006/10/msg00138.html
http://lists.debian.org/debian-boot/2006/10/msg00171.html

        I have initiated discussion on -devel for that, as per policy,
 and there were 3 objections, and many more in favour, so I think we
 have a rough consensus.

        No special configuration should be required; the default
 configuration out of the box ought to work.

        As shipped, the Debian kernel images have SELinux compiled in,
 but disabled, a command line parameter is required to turn SELinux
 on. When SELinux is turned on (by enabling it in grub), the default
 policy setting are that the machine would come on in permissive mode,
 using the targeted policy; so the worst case scenario is that the
 there would be log messages if someone "accidentally" turned on
 SELinux.

        I think we are ready.  And shipping SELinux by default would
 be a positive thing, in these days of accelerating attacks :)

        Could the override file be changed, please?


        manoj
-- 
A man may be so much of everything that he is nothing of
anything. Samuel Johnson
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Prev by Date: Re: serious problem with sparc's buildd (it does not build libavg)
Next by Date: Re: Bug#387706: - splitting mesa and mesa-legacy for libosmesa
Previous by thread: Re: Bug#387706: - splitting mesa and mesa-legacy for libosmesa
Next by thread: Sarge to Etch upgrade with radeon
Index(es):
- Date
- Thread