On Wednesday 31 December 2008 11:32, Frans Pop <elen...@planet.nl> wrote: > Russell Coker wrote: > > Frans Pop wrote: > > > Not really. SELinux is not even close to functional after a standard > > > installation. For one thing, it gets installed *after* the initrd gets > > > generated and the initrd does not get regenerated, so the admin has to > > > do that manually after rebooting into the installed system. > > > > There is no need to regenerate an initrd in Debian. > > I just did a standard i386 install using the instructions on the wiki [1] > (which BTW look to be rather outdated in several respects).
They were, I have just made some significant changes. > I did my previous test at the time of the discussion in September and > remember that I did need to regenerate the initrd then to get rid of some > errors. It does seem better now. > > However, I still had to regenerate the initrd because of the instruction > to add "no_static_dev="1" for udev. Previously I hadn't realised that was possible. It's mostly a cosmetic issue. Some daemons recursively scan /dev and generate some audit messages if you don't do it. But there is no security issue. I have all my SE Linux machines running without that change. > I also feel that as long as you need to check for instructions in a wiki > and manually edit various config files (most importantly in /etc/pam.d) > in order to activate SELinux support that there is very little gain in > having the packages pre-installed. While SE Linux is disabled by default there is little benefit in having the packages pre-installed. The wiki instructions are not overly complex (now that I have improved them and referenced some new code features). http://doc.coker.com.au/computers/installing-se-linux-on-lenny/ I have simpler instructions at the above URL. They can be summarised as the following: apt-get install selinux-policy-default selinux-basics selinux-activate reboot postfix-nochroot (optional) selinux-config-enforcing > P.S. Isn't selinux-basics required? It seems to be, but it was not > priority standard... You can run SE Linux without it, but you probably won't want to. It should probably have the same status as selinux-policy-default. -- russ...@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
