[arch-general] base stuff (was: Change Arch's default crond)

Thomas S Hatch thatch45 at gmail.com
Wed Apr 6 22:36:03 EDT 2011 

On Wed, Apr 6, 2011 at 7:53 PM, Tom Gundersen <teg at jklm.no> wrote:

> On Thu, Apr 7, 2011 at 6:46 AM, Thomas S Hatch <thatch45 at gmail.com> wrote:
> > On Wed, Apr 6, 2011 at 4:32 PM, Heiko Baums <lists at baums-on-web.de>
> wrote:
> >
> >> Am Wed, 6 Apr 2011 16:25:42 -0600
> >> schrieb Thomas S Hatch <thatch45 at gmail.com>:
> >>
> >> > As for adding SELinux support in base but keeping it turned off by
> >> > default, +1
> >>
> >> Then you mean adding it to [core]. (base) is supposed to be installed
> >> on every system. And SELinux is definitely not necessary for a minimal
> >> base Linux installation.
> >>
> >> Heiko
> >>
> >
> > SELinux is a compile flag in the kernel and base utils, it is not
> required
> > for a minimal system, but just adding the compile flags is a minor change
> > and makes setting up more secure systems a possibility.
> >
> > I think that the only reason it is omitted is because most people are
> > horrified by it, but if it is disabled by default then it is off and no
> one
> > need know that support is compiled in.
>
> I would just like to chime in and point out that if we want to allow
> selinux, then we would need someone committed to supporting it. I have
> never used it myself, but from what I hear it would need to be
> supported by things like initscripts to be used properly. If such
> support can be added elegantly and securely then I am not opposed to
> it.
>
> Cheers,
>
> Tom
>

I like to hear that Tom!
Unfortunately many people think that having SELinux compiled in means that
it is running, having SELinux compiled into the core utils and the kernel
but leaving it turned off has 0 negative effect on the system. Adding
support for SELinux into Arch does not, in any way force anyone use it, if
that were the case I would be %100 against it.

I will need to set up SELinux in my datacenters very soon, because it is a
very fundamental security layer, when I have it running I will give you all
of the patches that the initscripts may need and make sure that they are non
intrusive.

More information about the arch-general mailing list