[DSE-User] SELinux state

Mon Feb 16 12:56:45 UTC 2009

On Mon, 16 Feb 2009, Ritesh Raj Sarraf <rrs at researchut.com> wrote:
> > > Do we have any data showing how many Debian installations have selinux
> > > enabled, and maybe enforced?
> >
> > As setting the priority to standard did not put "selinux=1" on the kernel
> > command-line is not performed without some extra action by the sysadmin,
> > I expect that number to be low.
>
> Unless we get more users using it, we won't be able to make it better.
> Would we ? Is it planned to be enabled now, maybe to start with, it could
> be with enforcing=0

I have had some discussions with Frans about the concept of having the 
installer offer the user a choice (which will determine grub kernel options, 
etc).  This would significantly improve the situation.

> > > I've been trying selinux on Debian for more than a year and not much
> > > has been changing in regard to its policy for add-on packages. I hate
> > > to say, but in the current state, selinux in Debian sucks, it is not
> > > usable. Most of the packages in debian are not selinux aware. And they
> > > thus fail with selinux enabled.
> >
> > Most packages should not be SE Linux aware.  Of the few that should be
> > (cron, login, etc) most are.
>
> Then I'm understanding it as that the SE Linux policy is what should be
> standard enough to cover all. Either way, do you see the current state of
> SE Linux in Debian unusable ?
> I can see many basic things not working.
> With SE Linux enforced, I can't:
> * Get KDM to run

Last time I checked KDM worked but KDE logins as other than unconfined_t 
didn't.  GDM works well.

> * I can't suspend. s2ram won't work.

That's easy to solve, I'll go through this step by step in about 24 hours.

> * hal has become a core component. It does work much.

What is the problem with hal?

> * Many more I can't recollect.......
>
> How could we expect users to use SE Linux in Debian when the most basic
> functionalities don't work ?
> And all these issues are with packages shipped through Debian.

These things are not the most basic functionality, they are just some things 
that are important to you.  We will fix them, but let's not think that it's 
unusable just because some things you want to do don't work.

> > > I'm not sure how Fedora is able to cope up with this. I know they fund
> > > the SELinux Team/Maintainer. But still, a proper policy for every
> > > package they ship, amazing.
> >
> > They don't do that.
>
> You mean a policy for every package ?

Yes, most things run in unconfined_t in Fedora.  Run "ps axZ".

> Anyway, I have SE Linux enabled on my Fedora box. And I haven't had much
> issues there. I can't get the same experience on Debian.
> Do you see this as a user problem ?

It's a problem that we will fix eventually.  We need more people working on 
this.

> > > But I think no, no. IIRC one of the Debian SELinux contributors
> > > mentioned that not all packages in Fedora are confined. They don't
> > > confine all the applications. If it is doable, can we do something
> > > similar ?
> >
> > It's more than doable, it's the default configuration.
>
> That surprises. If that's what the default configuration is, why don't have
> the core components shipped in Debian work ?

The core components in Debian work.  But s2ram is not one of them.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog