[arch-general] Revisit official SELinux support

Allan McRae allan at archlinux.org
Mon Oct 28 20:21:01 EDT 2013


On 29/10/13 09:39, Karol Babioch wrote:
> Hi,
> 
> I'm wondering whether there was ever an actual discussion regarding the
> SELinux support within Arch. I could only find a bug report from
> September 2012 (see [1]), which was closed by Dave Reisner with kind of
> a lame comment: "A million times no.".
> 
> After having dealt with SELinux on a couple of occasions I think that it
> is real security enhancement worth the initial hassle of setting it up
> properly (at least in a server environment).
> 
> Looking into the support for SELinux in Arch I think it is way too messy
> to be actually used in practice (see [2]).
> 
> I wouldn't go so far to suggest to enable SELinux by default as proposed
> in the bug report mentioned above, but I think it would actually make
> sense to support it - more or less - officially. I'm thinking about a
> model similar to the one implemented by Debian (see [3]). It basically
> comes down to installing some default policies and enabling SELinux by
> running a script.
> 
> This would, however, require at least the stock kernel to have support
> for SELinux built-in by default. Are there any technical reasons for
> this not being the case already?
> 
> I don't want this to become a discussion about the pros and cons of
> SELinux (on a desktop system) in general. I'm just wondering whether it
> would be feasible to implement "official" support for SELinux within
> Arch. So, if possible, please keep it technical.
> 
> Best regards,
> Karol Babioch
> 
> [1]: https://bugs.archlinux.org/task/31448
> [2]: https://wiki.archlinux.org/index.php/SELinux
> [3]: https://wiki.debian.org/SELinux/Setup	


Looking at [2], it appears the SELinux work for Arch is much further
along than it once was.

I'd suggest that someone maintains an unofficial repo with all the
packages required to set this up to prove the work required for
continual maintenance of this has been done.  Then requests could be
made to (e.g.) add support to the kernel, providing full details of what
is required and if it has any effect on those not using SELinux.

Allan



More information about the arch-general mailing list