On Thu, 2004-04-29 at 10:05, Jeremy Katz wrote: > On Wed, 2004-04-28 at 22:06 -0500, Nick Gray wrote: > > On Wed, 2004-04-28 at 21:43, Jeremy Katz wrote: > > > On Wed, 2004-04-28 at 21:16 -0500, Nick wrote: > > > > Why are we using the command line option to install SELinux process. I > > > > provided to the SEL list, a comp.xml skeleton that I used to add SEL to > > > > Core 1. > > > > > > The option has nothing to do with what packages get installed, it deals > > > instead with if we set up such things as xattrs on the filesystem and > > > whether policy will end up loading by default > > > > Isn't all of that via packages? > > It's based on information in packages, but it's influenced also by _how_ > the packages are installed. Not by which packages are actually being > installed. ie, what %__file_context_path is set to for RPM and thus > whether contexts are set on files as they're laid down on the > filesystem. Also, what ends up in /etc/sysconfig/selinux which gets > looked at by init to determine whether policy should be loaded or not. This seems like semantics, you won't need to set xattrs, setup a /selinux directory, or access any of the selinux packages if you are given the option not to install SEL. My original point addresses an issue with the switch setting. I believe that the switch is the wrong way to implement this > > Isn't the kernel build during install from a source package? > > Ummm, no. This would a) require the installation of a compiler and b) > make the install time much longer, especially on older hardware. I vaguely recall this. So the default kernels must be pretty large to contain all of the modules, etc, for each option (Bluetooth etc.. ). > > So your saying that the switch is just a way of setting the level that > > is currently set in the firewall screen of the install? > > Whether or not the control is even shown. SELinux is not at this point > something that is going to be suitable for all users -- this will change > over time, but right now avoiding having the users who don't know better > from getting into trouble is a good idea just to cut down on the support > burden. I still think you are missing my point. Is the SELinux kernel installed by default and directories such as '/etc/security' created even if the switch is off? Assuming for the moment that selecting the switch during the install, prevents any trace of SEL from showing on the system, why do it via switch? Why not use the installation menu and leave the SELinux portion disabled by default? Making the other assumption that all the binaries/directories are installed, and just not enabled. I think those of us who need to have this accredited are going to have a tough time with the distinction of installed but not used. The selection should let you go down one of two paths, installed or not installed. The distinction needs to be pristine if those of us who need this for secure implementations are going to present it > > What about building a core 2 system without SELinux. Are we forcing > > users to use SEL if they are using Fedora in the future? > > No, there's nothing that forces you to use SELinux. There are things > that depend on libselinux, but that doesn't mean that you're actually > using SELinux. See above > Jeremy > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
