Core 2 SELinux installation

[Jeremy Katz]

On Wed, 2004-04-28 at 22:06 -0500, Nick Gray wrote:
> On Wed, 2004-04-28 at 21:43, Jeremy Katz wrote:
> > On Wed, 2004-04-28 at 21:16 -0500, Nick wrote:
> > > Why are we using the command line option to install SELinux process. I
> > > provided to the SEL list, a comp.xml skeleton that I used to add SEL to
> > > Core 1. 
> > 
> > The option has nothing to do with what packages get installed, it deals
> > instead with if we set up such things as xattrs on the filesystem and
> > whether policy will end up loading by default
> 
> Isn't all of that via packages? 

It's based on information in packages, but it's influenced also by _how_
the packages are installed.  Not by which packages are actually being
installed.  ie, what %__file_context_path is set to for RPM and thus
whether contexts are set on files as they're laid down on the
filesystem.  Also, what ends up in /etc/sysconfig/selinux which gets
looked at by init to determine whether policy should be loaded or not.

> Isn't the kernel build during install from a source package?

Ummm, no.  This would a) require the installation of a compiler and b)
make the install time much longer, especially on older hardware.

> So your saying that the switch is just a way of setting the level that
> is currently set in the firewall screen of the install?

Whether or not the control is even shown.  SELinux is not at this point
something that is going to be suitable for all users -- this will change
over time, but right now avoiding having the users who don't know better
from getting into trouble is a good idea just to cut down on the support
burden.

> What about building a core 2 system without SELinux. Are we forcing
> users to use SEL if they are using Fedora in the future?

No, there's nothing that forces you to use SELinux.  There are things
that depend on libselinux, but that doesn't mean that you're actually
using SELinux.

Jeremy