[2019-05-18 15:00] Laurent Bigonville <bi...@debian.org>
> I've seen that in your commit, I just don't understand why this is even
> a goal.
Because I do not want to pay for what I do not use. It is matter of good
design and Unix way.
> libselinux is really small and only pulls libpcre3 which is pulled by
> grep (which is Essential). It's not possible today to install debian
> without libselinux installed anyway.
Path of a thousand miles starts with a single step.
> Also, what's your plan regarding packaging? Would that executable be
> put in a separate package?
Yes, that the plan.
> TBRH I spent a lot of time working opening bugs/submitting patches in
> debian so the user who wants to use SELinux can get (an almost) out of
> the box experience in debian and I would not really be happy to see
> that attempt to revert that in a core component.
And I spend a lot of time of not having useless things installed on my
box.
What is wrong with having selinux support in separate package? Just
enable "Apt::InstallSuggests" and you are golden.
> If you really (really) want to go that way, maybe you should use a
> private path for the helper (as it shouldn't be called my regular users
> after the initial load) and/or use a less common name than "selinux-check".
No problem. I do not insist on any particular naming of helper and I
installed it into sbin just to reduce Makefile part of patch.
It was my plan to install it into /lib/init/ anyway, and you are welcome
to propose any name. What do you suggest?
> >> Was that discussed with anybody involved in SELinux in debian and/or
> >> upstream?
> > That is exactly place to start discussion. Luckily, Jesse is following
> > BTS, and I do not have to go through Savannah issue tracker.
>
> I was more thinking about upstream SELinux people
Okay. I see you added "selinux-devel" into thread. Thank you.
Dear selinux-devel maintainers, we are considering moving following
check from /sbin/init into subprocess:
if (getenv("SELINUX_INIT") == NULL) {
if (is_selinux_enabled() != 1) {
if (selinux_init_load_policy(&enforce) == 0) {
putenv("SELINUX_INIT=YES");
execv(myname, argv);
} else {
if (enforce > 0) {
/* SELinux in enforcing mode but load_policy failed */
/* At this point, we probably can't open /dev/console, so log()
won't work */
fprintf(stderr,"Unable to load SELinux Policy. Machine is in
enforcing mode. Halting now.\n");
exit(1);
}
}
}
}
Are there any possible unwanted side-effects? Any suggestions about it?
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
