Hi,
We are at a point where we can support a targeted SELinux
policy, at least in permissive mode. Everything seems to work for
me; I can fire up targeted SELinux UML's and only see a few harmless
log messages.
I brought this over on the debian-installer mailing list, and
suggested that we ship SELinux installed, but turned off by default;
and a README or a short shell script fr the local administrator to
enable SELinux. Our support at this point is better in some respects
to any other distribution (selecting and installing modular policy
modules, for instance). All the core packages support SELinux (unlike
in, say, Ubuntu).
We can do this by adding selinux-policy-refpolicy-targeted,
and the dependencies, to the standard install.
With the help of
apt-rdepends --dotty selinux-policy-refpolicy-targeted
I have managed to determine that the packages not already included in
Priority Standard are:
,----[ Additional packages required ]
| Package: selinux-policy-refpolicy-targeted
| Size: 1232692
| Installed-Size: 16712
|
| Package: policycoreutils
| Size: 348324
| Installed-Size: 3304
|
| Package: libsemanage1-dev
| Size: 333718
| Installed-Size: 2076
|
| Package: libsemanage1
| Size: 70910
| Installed-Size: 296
|
| Package: python-semanage
| Size: 115336
| Installed-Size: 648
|
| Package: python-selinux
| Size: 61788
| Installed-Size: 308
|
| Package: python-support
| Size: 22934
| Installed-Size: 104
`----
The size of the .debs for targeted policy is 2185702 Bytes,
and adds seven packages to the standard install. No special
configuration should be required; the default configuration out of
the box ought to work. All these packages are available on all
architectures:
http://people.debian.org/~igloo/status.php?email=srivasta%40debian.org
And all have migrated to testing:
http://qa.debian.org/developer.php?login=srivasta
As per policy, I am raising a balloon about ths issue; I think
if we ship vacation, finger, and sharutils, we can also ship
mandatory acess controls in the standard distribution :)
As shipped, the Debian kernel images have SELinux compiled in,
but disabled, a command line parameter is required to turn SELinux
on. When SELinux is turned on (by enabling it in grub), the default
policy setting are that the machine would come on in permissive mode,
using the targeted policy; so the worst case scenario is that the
there would be lots of log messages if someone "accidentally" turned
on SELinux.
I think we are ready. And shipping SELinux by default would
be a positive thing, in these days of accelerating attacks :)
manoj
--
No skis take rocks like rental skis!
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
