[DSE-User] SELinux state
Russell Coker
russell at coker.com.au
Mon Feb 16 09:03:51 UTC 2009
On Mon, 16 Feb 2009, Ritesh Raj Sarraf <rrs at researchut.com> wrote:
> I read somewhere that now selinux priority is set to standard. So that'd
> mean that selinux will now be installed by default.
The policy was installed by default at one stage, I believe that the plan was
to revert that before Lenny was released.
> Do we have any data showing how many Debian installations have selinux
> enabled, and maybe enforced?
As setting the priority to standard did not put "selinux=1" on the kernel
command-line is not performed without some extra action by the sysadmin, I
expect that number to be low.
> I've been trying selinux on Debian for more than a year and not much has
> been changing in regard to its policy for add-on packages. I hate to say,
> but in the current state, selinux in Debian sucks, it is not usable. Most
> of the packages in debian are not selinux aware. And they thus fail with
> selinux enabled.
Most packages should not be SE Linux aware. Of the few that should be (cron,
login, etc) most are.
> I'm not sure how Fedora is able to cope up with this. I know they fund the
> SELinux Team/Maintainer. But still, a proper policy for every package they
> ship, amazing.
They don't do that.
> But I think no, no. IIRC one of the Debian SELinux contributors mentioned
> that not all packages in Fedora are confined. They don't confine all the
> applications. If it is doable, can we do something similar ?
It's more than doable, it's the default configuration.
> Confine only
> the known set of vulnerable packages that we have a good policy for.
> And eventually, as and when the policy becomes usable for additional
> packages, we make them selinux enabled.
We used to call that the "targeted" policy, the package
was "selinux-policy-refpolicy-targeted" in Etch. Now in Lenny it's the
Targeted configuration of the default policy which is in
the "selinux-policy-default" package.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
More information about the Selinux-user
mailing list