[DSE-User] SELinux state

Russell Coker russell at coker.com.au
Mon Feb 16 09:03:51 UTC 2009 

On Mon, 16 Feb 2009, Ritesh Raj Sarraf <rrs at researchut.com> wrote:
> I read somewhere that now selinux priority is set to standard. So that'd
> mean that selinux will now be installed by default.

The policy was installed by default at one stage, I believe that the plan was 
to revert that before Lenny was released.

> Do we have any data showing how many Debian installations have selinux
> enabled, and maybe enforced?

As setting the priority to standard did not put "selinux=1" on the kernel 
command-line is not performed without some extra action by the sysadmin, I 
expect that number to be low.

> I've been trying selinux on Debian for more than a year and not much has
> been changing in regard to its policy for add-on packages. I hate to say,
> but in the current state, selinux in Debian sucks, it is not usable. Most
> of the packages in debian are not selinux aware. And they thus fail with
> selinux enabled.

Most packages should not be SE Linux aware.  Of the few that should be (cron, 
login, etc) most are.

> I'm not sure how Fedora is able to cope up with this. I know they fund the
> SELinux Team/Maintainer. But still, a proper policy for every package they
> ship, amazing.

They don't do that.

> But I think no, no. IIRC one of the Debian SELinux contributors mentioned
> that not all packages in Fedora are confined. They don't confine all the
> applications. If it is doable, can we do something similar ?

It's more than doable, it's the default configuration.

> Confine only 
> the known set of vulnerable packages that we have a good policy for.
> And eventually, as and when the policy becomes usable for additional
> packages, we make them selinux enabled.

We used to call that the "targeted" policy, the package 
was "selinux-policy-refpolicy-targeted" in Etch.  Now in Lenny it's the 
Targeted configuration of the default policy which is in 
the "selinux-policy-default" package.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

More information about the Selinux-user mailing list