The first answer that i can think is the patches needed on many packages to support selinux. Is not only that you have to enable a config on the kernel, you have to maintain the patches on for the each of the packages, and that maybe will hold you from keeping things KISS and following upstream. Thanks 2013/10/28 Karol Babioch <karol@babioch.de>
Hi,
I'm wondering whether there was ever an actual discussion regarding the SELinux support within Arch. I could only find a bug report from September 2012 (see [1]), which was closed by Dave Reisner with kind of a lame comment: "A million times no.".
After having dealt with SELinux on a couple of occasions I think that it is real security enhancement worth the initial hassle of setting it up properly (at least in a server environment).
Looking into the support for SELinux in Arch I think it is way too messy to be actually used in practice (see [2]).
I wouldn't go so far to suggest to enable SELinux by default as proposed in the bug report mentioned above, but I think it would actually make sense to support it - more or less - officially. I'm thinking about a model similar to the one implemented by Debian (see [3]). It basically comes down to installing some default policies and enabling SELinux by running a script.
This would, however, require at least the stock kernel to have support for SELinux built-in by default. Are there any technical reasons for this not being the case already?
I don't want this to become a discussion about the pros and cons of SELinux (on a desktop system) in general. I'm just wondering whether it would be feasible to implement "official" support for SELinux within Arch. So, if possible, please keep it technical.
Best regards, Karol Babioch
[1]: https://bugs.archlinux.org/task/31448 [2]: https://wiki.archlinux.org/index.php/SELinux [3]: https://wiki.debian.org/SELinux/Setup