[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux Suggestion

On Sat, 22 Sep 2007 00:00:09 -0500, Mumia W <paduille.4061.mumia.w+nospam@earthlink.net> said: 

> On 09/21/2007 10:15 PM, Andrew J. Barr wrote:
>> On 9/21/07, Kelly Clowers <kelly.clowers@gmail.com> wrote:
>>> On 9/21/07, Mumia W.. <paduille.4061.mumia.w+nospam@earthlink.net> wrote:
>>>> Why is selinux in Debian at all?
>>>> 
>>>> Have any users asked for it?
>>> I don't know, but if it wasn't in Debian, I would ask for it.
>>> 
>>> I don't get why people seem to think SELinux is a bad thing.
>> 
>> I think it got a bad reputation with Fedora Core 2. Which is
>> unfortunate, because it really is a good technology.
>> 
>> 

> It probably is good technology. But I think it should be good
> technology--elsewhere.

> Including SElinux in Debian is not like including tuxracer. Too much
> of the core security parts of Debian have to be changed to accommodate
> SElinux.

> If I want SElinux, I should get Redhat or Fedora. But I use Debian,
> and I'd like to be SElinux-free here.

> Manoj said that SElinux is not yet fully integrated into Debian, and I
> think that's good because it gives us time to re-evaluate if we need
> SElinux, and I hope we can re-evaluate it out of Debian.

        I did not quite mean that.  What I meant is that SELinux is
 fairly well integrated in Debian; but the reference policy is tno quite
 polished enough to be foisted on the general user base by default -- an
 conscious effort is still required to turn on SELinux.  As the policy
 improves, the effort required to use ELinux would be reduced.

        There is also the issue of modularity of SELinux policy, and
 ownership of policy modules that correspond to Debian packages --
 currently, and for the foreseeable future, policy modules are shipped
 in one giant package, instead of separately -- and they are either
 inactive, or all installed into the kernel.

        I think this is partially SELinux is so hard to deal with in
 Fedora -- they have a modual security policy, with poor coverage,
 masquerading as a monolithic policy, and that is a poor fit for a
 modular OS.

        Mind you, what Fedora achieved is admirable -- but I think we
 can do better. So, in the middle term, the giant policy package will be
 broken up into a few packages (I am not yet ready to go the one module,
 one package route). 

        We also need to get away from load _all_ modules into the
 kernel, all the time mechanism fedora uses.   But before we get there,
 we have to enhance the packaging system to ensure that the security
 policy (initial file contexts, at least) are loaded in the kernel
 before the corresponding package is installed. Too bad there is no
 pre-install trigger in the new dpkg code; I suppose someone will have
 to add it in. Perhaps me.

        In any case, Debian is always about choices. And that also means
 SELinux. 

        manoj
-- 
You'll be called to a post requiring ability in handling groups of
people.
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: