On Sat, 22 Sep 2007 00:00:09 -0500, Mumia W <[EMAIL PROTECTED]> said:
> On 09/21/2007 10:15 PM, Andrew J. Barr wrote:
>> On 9/21/07, Kelly Clowers <[EMAIL PROTECTED]> wrote:
>>> On 9/21/07, Mumia W.. <[EMAIL PROTECTED]> wrote:
>>>> Why is selinux in Debian at all?
>>>>
>>>> Have any users asked for it?
>>> I don't know, but if it wasn't in Debian, I would ask for it.
>>>
>>> I don't get why people seem to think SELinux is a bad thing.
>>
>> I think it got a bad reputation with Fedora Core 2. Which is
>> unfortunate, because it really is a good technology.
>>
>>
> It probably is good technology. But I think it should be good
> technology--elsewhere.
> Including SElinux in Debian is not like including tuxracer. Too much
> of the core security parts of Debian have to be changed to accommodate
> SElinux.
> If I want SElinux, I should get Redhat or Fedora. But I use Debian,
> and I'd like to be SElinux-free here.
> Manoj said that SElinux is not yet fully integrated into Debian, and I
> think that's good because it gives us time to re-evaluate if we need
> SElinux, and I hope we can re-evaluate it out of Debian.
I did not quite mean that. What I meant is that SELinux is
fairly well integrated in Debian; but the reference policy is tno quite
polished enough to be foisted on the general user base by default -- an
conscious effort is still required to turn on SELinux. As the policy
improves, the effort required to use ELinux would be reduced.
There is also the issue of modularity of SELinux policy, and
ownership of policy modules that correspond to Debian packages --
currently, and for the foreseeable future, policy modules are shipped
in one giant package, instead of separately -- and they are either
inactive, or all installed into the kernel.
I think this is partially SELinux is so hard to deal with in
Fedora -- they have a modual security policy, with poor coverage,
masquerading as a monolithic policy, and that is a poor fit for a
modular OS.
Mind you, what Fedora achieved is admirable -- but I think we
can do better. So, in the middle term, the giant policy package will be
broken up into a few packages (I am not yet ready to go the one module,
one package route).
We also need to get away from load _all_ modules into the
kernel, all the time mechanism fedora uses. But before we get there,
we have to enhance the packaging system to ensure that the security
policy (initial file contexts, at least) are loaded in the kernel
before the corresponding package is installed. Too bad there is no
pre-install trigger in the new dpkg code; I suppose someone will have
to add it in. Perhaps me.
In any case, Debian is always about choices. And that also means
SELinux.
manoj
--
You'll be called to a post requiring ability in handling groups of
people.
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
