[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Core 2 SELinux installation

On Thu, 2004-04-29 at 10:05, Jeremy Katz wrote:
> On Wed, 2004-04-28 at 22:06 -0500, Nick Gray wrote:
> > On Wed, 2004-04-28 at 21:43, Jeremy Katz wrote:
> > > On Wed, 2004-04-28 at 21:16 -0500, Nick wrote:
> > > > Why are we using the command line option to install SELinux process. I
> > > > provided to the SEL list, a comp.xml skeleton that I used to add SEL to
> > > > Core 1. 
> > > 
> > > The option has nothing to do with what packages get installed, it deals
> > > instead with if we set up such things as xattrs on the filesystem and
> > > whether policy will end up loading by default
> > 
> > Isn't all of that via packages? 
> It's based on information in packages, but it's influenced also by _how_
> the packages are installed.  Not by which packages are actually being
> installed.  ie, what %__file_context_path is set to for RPM and thus
> whether contexts are set on files as they're laid down on the
> filesystem.  Also, what ends up in /etc/sysconfig/selinux which gets
> looked at by init to determine whether policy should be loaded or not.

This seems like semantics, you won't need to set xattrs, setup a
/selinux directory, or access any of the selinux packages if you are
given the option not to install SEL. 

My original point addresses an issue with the switch setting. I believe
that the switch is the wrong way to implement this

> > Isn't the kernel build during install from a source package?
> Ummm, no.  This would a) require the installation of a compiler and b)
> make the install time much longer, especially on older hardware.

I vaguely recall this. So the default kernels must be pretty large to
contain all of the modules, etc, for each option (Bluetooth etc.. ).

> > So your saying that the switch is just a way of setting the level that
> > is currently set in the firewall screen of the install?
> Whether or not the control is even shown.  SELinux is not at this point
> something that is going to be suitable for all users -- this will change
> over time, but right now avoiding having the users who don't know better
> from getting into trouble is a good idea just to cut down on the support
> burden.

I still think you are missing my point. Is the SELinux kernel installed
by default and directories such as '/etc/security' created even if the
switch is off?

Assuming for the moment that selecting the switch during the install,
prevents any trace of SEL from showing on the system, why do it via
switch? Why not use the installation menu and leave the SELinux portion
disabled by default?

Making the other assumption that all the binaries/directories are
installed, and just not enabled. I think those of us who need to have
this accredited are going to have a tough time with the distinction of
installed but not used. The selection should let you go down one of two
paths, installed or not installed. The distinction needs to be pristine
if those of us who need this for secure implementations are going to
present it

> > What about building a core 2 system without SELinux. Are we forcing
> > users to use SEL if they are using Fedora in the future?
> No, there's nothing that forces you to use SELinux.  There are things
> that depend on libselinux, but that doesn't mean that you're actually
> using SELinux.

See above

> Jeremy
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray austin rr com
(512) 331-7998

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]