SE Linux in Etch
Hi,
As per Bug#390760We are at a point where we can support a
targeted SELinux policy, at least in permissive mode, I suggest that
we ship SELinux installed, but turned off by default; and a README or
a short shell script fr the local administrator to enable
SELinux. Our support at this point is better in some respects to any
other distribution (selecting and installing modular policy modules,
for instance). All the core packages support SELinux (unlike in, say,
Ubuntu).
We can do this by adding selinux-policy-refpolicy-targeted,
and the dependencies, to the installer.
With the help of
apt-rdepends --dotty selinux-policy-refpolicy-targeted
I have managed to determine that the packages not already included in
Priority Standard are:
,----[ Additional packages required ]
| Package: selinux-policy-refpolicy-targeted
| Size: 1232692
| Installed-Size: 16712
|
| Package: policycoreutils
| Size: 348324
| Installed-Size: 3304
|
| Package: libsemanage1-dev
| Size: 333718
| Installed-Size: 2076
|
| Package: libsemanage1
| Size: 70910
| Installed-Size: 296
|
| Package: python-semanage
| Size: 115336
| Installed-Size: 648
|
| Package: python-selinux
| Size: 61788
| Installed-Size: 308
|
| Package: python-support
| Size: 22934
| Installed-Size: 104
`----
The size of the .debs for targeted policy is 2185702
Bytes. This has been discussed on the debian-installer list, as well
as in the bug log, and the decision was to make these 77 packages
standard, if possible. See:
http://lists.debian.org/debian-boot/2006/10/msg00120.html
http://lists.debian.org/debian-boot/2006/10/msg00138.html
http://lists.debian.org/debian-boot/2006/10/msg00171.html
I have initiated discussion on -devel for that, as per policy,
and there were 3 objections, and many more in favour, so I think we
have a rough consensus.
No special configuration should be required; the default
configuration out of the box ought to work.
As shipped, the Debian kernel images have SELinux compiled in,
but disabled, a command line parameter is required to turn SELinux
on. When SELinux is turned on (by enabling it in grub), the default
policy setting are that the machine would come on in permissive mode,
using the targeted policy; so the worst case scenario is that the
there would be log messages if someone "accidentally" turned on
SELinux.
I think we are ready. And shipping SELinux by default would
be a positive thing, in these days of accelerating attacks :)
Could the override file be changed, please?
manoj
--
A man may be so much of everything that he is nothing of
anything. Samuel Johnson
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: