[arch-general] Revisit official SELinux support

Nicolás de la Torre ndelatorre at gmail.com
Mon Oct 28 19:59:15 EDT 2013

The first answer that i can think is the patches needed on many packages to
support selinux. Is not only that you have to enable a config on the
kernel, you have to maintain the patches on for the each of the packages,
and that maybe will hold you from keeping things KISS and following


2013/10/28 Karol Babioch <karol at babioch.de>

> Hi,
> I'm wondering whether there was ever an actual discussion regarding the
> SELinux support within Arch. I could only find a bug report from
> September 2012 (see [1]), which was closed by Dave Reisner with kind of
> a lame comment: "A million times no.".
> After having dealt with SELinux on a couple of occasions I think that it
> is real security enhancement worth the initial hassle of setting it up
> properly (at least in a server environment).
> Looking into the support for SELinux in Arch I think it is way too messy
> to be actually used in practice (see [2]).
> I wouldn't go so far to suggest to enable SELinux by default as proposed
> in the bug report mentioned above, but I think it would actually make
> sense to support it - more or less - officially. I'm thinking about a
> model similar to the one implemented by Debian (see [3]). It basically
> comes down to installing some default policies and enabling SELinux by
> running a script.
> This would, however, require at least the stock kernel to have support
> for SELinux built-in by default. Are there any technical reasons for
> this not being the case already?
> I don't want this to become a discussion about the pros and cons of
> SELinux (on a desktop system) in general. I'm just wondering whether it
> would be feasible to implement "official" support for SELinux within
> Arch. So, if possible, please keep it technical.
> Best regards,
> Karol Babioch
> [1]: https://bugs.archlinux.org/task/31448
> [2]: https://wiki.archlinux.org/index.php/SELinux
> [3]: https://wiki.debian.org/SELinux/Setup

More information about the arch-general mailing list