Manoj Srivastava wrote: > I think we are have a low enough avc denial rates that > unconfined/permissive already provides value. We are pretty close to > achieving unconfined/enforcing fo Lenny, and with help from people I > think we can be there. strict/permissive and strinct/enforcing should > be doable for squeeze.
One thing that I really miss is an documentation entry point. I think I know lots of things about admin, OS, kernel, ... I heard about SElinux, I know it should improve the security (at least for servers). From the beginning of this thread, I read carefully all messages. I saw the boot parameter (selinux=1) that I did not try yet. Today, I see the audit2allow tool and I mark it on my TODO/tips file. But, I looked into /usr/share/doc/selinux-policy-default/ and do not find any useful documentation: - README.Debian gives pointer about semodule and load_policy (that seem tools for more advanced selinux users than me) - README talk about make targets, so I suppose it applies to the source package or advanced selinux users with a copy of the sources/policies... I also looked into /usr/share/doc/setools - there is no README.Debian - README is a general selinux documentation (talking about downloading sources, compiling/installing them, ...). So, again, I think this document is targeting advanced selinux users (or selinux developers) And /etc/selinux/ has a lot of files that I do not know what to do with them. So, before reading this thread and finding the selinux=1 boot parameter, I did not know what to do to use selinux. I'm not sure that I only have to do that. I discovered in this thread audit2allow. It seems to me a great tool to workaround incomplete policy (until fixed in package or due to local configuration) but I do not know exactly how to add produced rules to my local config and to make the system use it (ie reload the config). I do not want answer here. I'm sure that if I'm interested enough in selinux (and with enough free time), I'm skilled enough to find internet/ manpage documentation and understand them. But if selinux is installed by default on all system, then I really thing that a basic documentation for Debian administrators (I mean people managing machines with the Debian distribution on it, not admin of official Debian machines) MUST be provided. In this documentation, I think that we should find: - what is selinux - what are the different modes (permissive, ...) - how to enable/disable selinux on Debian machines - how to change the mode - how to adjust the policy - ... ie all operations needed by a Debian admin to manage selinux on its machine. And this documentation must be very easy to find (pointer to it in the config directory, ...) Best regards, Vincent PS: and no, I'm not interested enough in selinux nor I've enough free time and knowledge to write this kind of documentation. -- Vincent Danjean GPG key ID 0x9D025E87 [EMAIL PROTECTED] GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]