[DSE-User] SELinux state

Ritesh Raj Sarraf rrs at researchut.com
Mon Feb 16 12:34:28 UTC 2009 

Hi Russel

On Monday 16 Feb 2009 14:33:51 Russell Coker wrote:
> On Mon, 16 Feb 2009, Ritesh Raj Sarraf <rrs at researchut.com> wrote:
> > I read somewhere that now selinux priority is set to standard. So that'd
> > mean that selinux will now be installed by default.
>
> The policy was installed by default at one stage, I believe that the plan
> was to revert that before Lenny was released.
>
> > Do we have any data showing how many Debian installations have selinux
> > enabled, and maybe enforced?
>
> As setting the priority to standard did not put "selinux=1" on the kernel
> command-line is not performed without some extra action by the sysadmin, I
> expect that number to be low.
>

Unless we get more users using it, we won't be able to make it better. Would 
we ? Is it planned to be enabled now, maybe to start with, it could be with 
enforcing=0

> > I've been trying selinux on Debian for more than a year and not much has
> > been changing in regard to its policy for add-on packages. I hate to say,
> > but in the current state, selinux in Debian sucks, it is not usable. Most
> > of the packages in debian are not selinux aware. And they thus fail with
> > selinux enabled.
>
> Most packages should not be SE Linux aware.  Of the few that should be
> (cron, login, etc) most are.
>

Then I'm understanding it as that the SE Linux policy is what should be 
standard enough to cover all. Either way, do you see the current state of SE 
Linux in Debian unusable ?
I can see many basic things not working.
With SE Linux enforced, I can't:
* Get KDM to run
* I can't suspend. s2ram won't work.
* hal has become a core component. It does work much.
* Many more I can't recollect.......

How could we expect users to use SE Linux in Debian when the most basic 
functionalities don't work ?
And all these issues are with packages shipped through Debian.

> > I'm not sure how Fedora is able to cope up with this. I know they fund
> > the SELinux Team/Maintainer. But still, a proper policy for every package
> > they ship, amazing.
>
> They don't do that.
>
You mean a policy for every package ?
Anyway, I have SE Linux enabled on my Fedora box. And I haven't had much 
issues there. I can't get the same experience on Debian.
Do you see this as a user problem ?

> > But I think no, no. IIRC one of the Debian SELinux contributors mentioned
> > that not all packages in Fedora are confined. They don't confine all the
> > applications. If it is doable, can we do something similar ?
>
> It's more than doable, it's the default configuration.
>

That surprises. If that's what the default configuration is, why don't have the 
core components shipped in Debian work ?

> > Confine only
> > the known set of vulnerable packages that we have a good policy for.
> > And eventually, as and when the policy becomes usable for additional
> > packages, we make them selinux enabled.
>
> We used to call that the "targeted" policy, the package
> was "selinux-policy-refpolicy-targeted" in Etch.  Now in Lenny it's the
> Targeted configuration of the default policy which is in
> the "selinux-policy-default" package.

Yes, that's the one I'm using currently. And that's the one I'm currently 
having issues with.

Thank you for replying. While my SE Linux knowledge is very limited currently, 
I'd still like to provide any help that can help in improving the SE Linux 
experience in Debian.

Ritesh
-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20090216/2f9d04e8/attachment.pgp

More information about the Selinux-user mailing list