Martin Michlmayr wrote: > I'd like to ask whether selinux should really be installed by default. > On the Linksys NSLU2, a very popular device with only 32 MB of RAM, > installing selinux-policy-default takes at least half an hour (with > heavy swapping) or possibly even more. This is a major regression > from the installer experience of etch. A bug about this problem was > filed about 3 weeks ago (#495786) but there was no response from the > maintainer at all.
Although I agree with your basic question, I do wonder how it can be a regression from Etch as selinux was also "priority standard" for Etch. It was my impression that selinux installation had become faster recently after Russell reworked the packaging, at least on x86. The reason it was made priority standard not long before the release of Etch was because Manoj wanted to see if having it installed by default would promote more general adoption and actual use of SeLinux. Unfortunately the actual thing that happened was that SeLinux has essentially been unmaintained for most of Lenny's development cycle, that the promised support was completely absent. SeLinux packaging has only very recently been revived when Russell stepped in (with major improvements from what I've seen). I think Etch has shown that merely having SeLinux standard does _not_ promote its wider use. I would also argue that people who actually want to use SeLinux will also know how to install it afterwards. I also feel that SeLinux is not sufficiently tuned for Debian. I don't know what the exact current status is and what has changed since Russell stepped in, but when I tried it last year a lot of additional tuning was needed to get for example normal package upgrades to run cleanly. And finally, I too have frequently been annoyed at the taken by SeLinux installation during installation tests. Especially on slower hardware or in emulators it can be quite painful. For those reasons I support the suggestion to change the priority of SeLinux back to optional. We can always discuss returning it to priority standard if/when SeLinux is really ready to be not only installed by default, but also activated by default. And even then I can see it being implemented as a "secure system" task in tasksel or as a separate debconf question during installation rather than by raising priority to standard. Note that I did bring up this question earlier, at that point primarily because of its maintenance status [1]. Cheers, FJP [1] http://lists.debian.org/debian-devel/2008/02/msg00223.html
signature.asc
Description: This is a digitally signed message part.
