Re: Penalty of SELinux?

To: debian-user@lists.debian.org
Subject: Re: Penalty of SELinux?
From: Manoj Srivastava <srivasta@ieee.org>
Date: Tue, 25 Sep 2007 00:24:47 -0500
Message-id: <[🔎] 87odfrfhb4.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-user@lists.debian.org
References: <[🔎] 20070922152909.GA7014@titan.hooton> <[🔎] 87k5qi6loa.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20070923151457.GB6360@titan.hooton> <[🔎] 87myvdkw3g.fsf@anzu.internal.golden-gryphon.com> <[🔎] 46F8466C.9030301@sbcglobal.net> <[🔎] 87myvbhc1q.fsf@anzu.internal.golden-gryphon.com> <[🔎] 46F84E3A.9000000@sbcglobal.net> <[🔎] 873ax3sh1c.fsf@catnip.gol.com> <[🔎] 46F87D72.20807@earthlink.net>

On Mon, 24 Sep 2007 22:16:02 -0500, Mumia W <paduille.4061.mumia.w+nospam@earthlink.net> said: 

> On 09/24/2007 07:52 PM, Miles Bader wrote:
>> Mike McCarty <Mike.McCarty@sbcglobal.net> writes:
>>>> even 708 old hardware seems to be running it fine for me.
>>> My objection is to having on my machine at all.
>> 
>> I object to having python and tcl on my machine.
>> 
>> -Miles
>> 

> Your Debian machine is probably not dependent upon tcl, but Debian has
> been dependent upon python for a long time.

> However, the dependency upon SElinux is more recent. There may be time
> to remove it before it becomes too entrenched and before its tentacles
> probe too deeply into Debian.

        I think it has gone as deep as it is likely to go, and it is now
 a matter of polishing up the security policy, and trying to set up an
 install time option to allow people to boot into a secure node.  All of
 this was in place before we shipped Etch, so it is not all that recent.

> I hope it's not too late. I wish I'd educated myself about SELinux
> earlier, and I wish I could've participated in the discussions about
> SElinux in Debian. I believe that if more Debian users were aware of
> the radical nature of SElinux, its complexity and the number of core
> libraries and utilities that would have to be changed to accommodate
> it, SElinux's entry into Debian could have been averted.

        I am afraid that this is rather late in the day; Etch shipped
 fully SELinux capable, with all the patches that were needed already
 in.  We are in the  phase where SELinux patches are migrating upstream;
 PAM now comes built in with all the SELinux hooks required, for
 instance, and coreutils has most of them.

> Now we are in the unfortunate position of having to convince the
> maintainer of SElinux to advocate for the removal of his baby from his
> O/S. :-(

        I am willing to listen to reason.

        manoj
-- 
Cole's Law: Thinly sliced cabbage.
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

References:
- Penalty of SELinux?
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: Penalty of SELinux?
  - From: Manoj Srivastava <srivasta@ieee.org>
- Re: Penalty of SELinux?
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: Penalty of SELinux?
  - From: Manoj Srivastava <srivasta@ieee.org>
- Re: Penalty of SELinux?
  - From: Mike McCarty <Mike.McCarty@sbcglobal.net>
- Re: Penalty of SELinux?
  - From: Manoj Srivastava <srivasta@ieee.org>
- Re: Penalty of SELinux?
  - From: Mike McCarty <Mike.McCarty@sbcglobal.net>
- Re: Penalty of SELinux?
  - From: Miles Bader <miles@gnu.org>
- Re: Penalty of SELinux?
  - From: "Mumia W.." <paduille.4061.mumia.w+nospam@earthlink.net>

Prev by Date: Re: Upgrading from Etch to Lenny
Next by Date: Re: Tool for document management
Previous by thread: Re: Penalty of SELinux?
Next by thread: Re: Penalty of SELinux?
Index(es):
- Date
- Thread