It took me a fair amount of time to understand that modules only get loaded at the time selinux-policy-default is installed, by the postinst Perl script where there is a hardcoded mapping between currently installed packages and the corresponding selinux modules.
With similar Debian machines running selinux and some packages that are known by some module, the semodules -l command reports different active modules depending whether selinux has been installed before or after the packages in question. This is highly confusing to selinux newbies, and only adds to the feeling that selinux is very complicated. Not only is it not possible to do a manual reconfiguration, this whole mechanism is pretty much broken in a fairly typical scenario, where a security conscious sysadmin installs selinux right after the basic operating system installation, before starting to install and set up the actual services. If the sysadmin does not check everything, he might be under the impression that his services are protected by selinux, when in fact the modules never gets loaded, and no relabeling happens. The sysadmin needs to know what module to load and do it manually, otherwise only a handful of base services (installed with d-i) are contained. I think that there really should be some mechanism to provide automatic selinux module activation when a package gets installed. Maybe each package's postinst script should be responsible for this. Until a better mechanism is implemented, please at least document the current behaviour and the correct procedures to manually activate modules. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
