Jeremy Katz wrote:
But you *have* to install some SELinux packages. eg, libselinux is always going to end up being installed due to dependencies of other packages.
Incidentally Fedora 1 has a similar situation. If you want Postgres, you have to install krb5-libs, even if you aren't using Kerberos. If you are going to ship binary packages, you have to turn on all the options that anyone could want. I guess taken to extremes it would increase bloat unacceptably, but krb5-libs and the user space SELinux libraries are not large.
Because there's not a way to give enough information on what all of the ramifications are [of installing SELinux]. And with the current state of things, it's thus best to make it an option for people who know what they're doing.
I think this is especially true for a new security technology. Most people's view of security is quite simplistic: they want the bad guys kept out, without their work being interfered with. If SELinux interferes with their work, they will turn it off, reasoning that normal Unix security has kept the bad guys out so far. They are then unlikely to try it again later however much people tell them that the policy has been improved.
Pete
