[DSE-User] SELinux state

Ritesh Raj Sarraf rrs at researchut.com
Mon Feb 16 13:18:37 UTC 2009 

Hi Russel

On Monday 16 Feb 2009 18:26:45 Russell Coker wrote:
> On Mon, 16 Feb 2009, Ritesh Raj Sarraf <rrs at researchut.com> wrote:
> > > > Do we have any data showing how many Debian installations have
> > > > selinux enabled, and maybe enforced?
> > >
> > > As setting the priority to standard did not put "selinux=1" on the
> > > kernel command-line is not performed without some extra action by the
> > > sysadmin, I expect that number to be low.
> >
> > Unless we get more users using it, we won't be able to make it better.
> > Would we ? Is it planned to be enabled now, maybe to start with, it could
> > be with enforcing=0
>
> I have had some discussions with Frans about the concept of having the
> installer offer the user a choice (which will determine grub kernel
> options, etc).  This would significantly improve the situation.
>

Awesome!!

> > Then I'm understanding it as that the SE Linux policy is what should be
> > standard enough to cover all. Either way, do you see the current state of
> > SE Linux in Debian unusable ?
> > I can see many basic things not working.
> > With SE Linux enforced, I can't:
> > * Get KDM to run
>
> Last time I checked KDM worked but KDE logins as other than unconfined_t
> didn't.  GDM works well.
>

Who should the bug be filed against ?
I think the selinux-policy-default package. There isn't much interest 
otherwise within other DDs for SE Linux.

> > * I can't suspend. s2ram won't work.
>
> That's easy to solve, I'll go through this step by step in about 24 hours.
>

Thank you.

> > * hal has become a core component. It does work much.
>
> What is the problem with hal?
>
Oops!! That was a typo. What I was trying was, that hal has turned now to be a 
core component for any desktop debian installation. In my selinux violations, 
more than 50% account for hald_* related violations.

> > > > I'm not sure how Fedora is able to cope up with this. I know they
> > > > fund the SELinux Team/Maintainer. But still, a proper policy for
> > > > every package they ship, amazing.
> > >
> > > They don't do that.
> >
> > You mean a policy for every package ?
>
> Yes, most things run in unconfined_t in Fedora.  Run "ps axZ".
>
Wow!! Thanks. I just confirmed and yes, many and most run unconfined. That led 
me to compare it with my Debian installation.
And I see hal, exim, consolekit  et cetera having a policy defined.
Amongst which, the most complaining one (for which I have violation logs) are 
hal and consolekit. The "KDM not starting" issue must be linked with the 
consolekit violation.
Everything that is running unconfined is working.
Thanks again.

> > Anyway, I have SE Linux enabled on my Fedora box. And I haven't had much
> > issues there. I can't get the same experience on Debian.
> > Do you see this as a user problem ?
>
> It's a problem that we will fix eventually.  We need more people working on
> this.
>
Thank you Russel. This statement is very energizing and I look forward to any 
help I can provide.

Ritesh
-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20090216/d7aba378/attachment.pgp

More information about the Selinux-user mailing list