On Sunday 14 September 2008 20:40, Frans Pop <[EMAIL PROTECTED]> wrote: > Although I agree with your basic question, I do wonder how it can be a > regression from Etch as selinux was also "priority standard" for Etch. > It was my impression that selinux installation had become faster recently > after Russell reworked the packaging, at least on x86.
I changed the postinst such that instead of running semodule ~24 times it would run it twice. The next version of the policy packages will run it once (for an incremental benefit - nothing like the benefit of going from ~24 to 2). > The reason it was made priority standard not long before the release of > Etch was because Manoj wanted to see if having it installed by default > would promote more general adoption and actual use of SeLinux. > Unfortunately the actual thing that happened was that SeLinux has > essentially been unmaintained for most of Lenny's development cycle, that > the promised support was completely absent. > SeLinux packaging has only very recently been revived when Russell stepped > in (with major improvements from what I've seen). Now Manoj is actively working on it too. Things are starting to work pretty well. http://doc.coker.com.au/computers/installing-se-linux-on-lenny/ For a typical desktop system (such as my EeePC) a default installation of SE Linux in Lenny works for most things. If you add the packages from my repository (see the above URL) then mplayer also works in a default configuration. > I also feel that SeLinux is not sufficiently tuned for Debian. I don't > know what the exact current status is and what has changed since Russell > stepped in, but when I tried it last year a lot of additional tuning was > needed to get for example normal package upgrades to run cleanly. Things have changed a lot since then. Please try installing SE Linux now and you will find everything a lot easier. > And finally, I too have frequently been annoyed at the taken by SeLinux > installation during installation tests. Especially on slower hardware or > in emulators it can be quite painful. http://www.fedorafaq.org/ Pages such as the above document that you can pass "selinux=0" as a parameter to the Fedora installation kernel to not have SE Linux enabled. Would it be possible to have the Debian installer look for "selinux=0" on the kernel command-line and then not install the SE Linux packages? > For those reasons I support the suggestion to change the priority of > SeLinux back to optional. > We can always discuss returning it to priority standard if/when SeLinux is > really ready to be not only installed by default, but also activated by > default. And even then I can see it being implemented as a "secure > system" task in tasksel or as a separate debconf question during > installation rather than by raising priority to standard. > > Note that I did bring up this question earlier, at that point primarily > because of its maintenance status [1]. Yes, unfortunately I had been lacking time to work on it for a while. Now I've got more time and things are working well. -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
