Re: [arch-general] Why isn't SELinux officially supported?

[Bennett Piater]

Have a look at aurutils :)

On 03/01/2017 05:45 PM, Robert Wong via arch-general wrote:
> But I'm not meaning disappealing, I just felt uncomfortable when I
> see the packages from the AUR can't be updated by the pacman and I
> don' feel like using yaourt... Probably it's my obsessive compulsive
> disorder overtaking me. I'm looking forward to build a local repos
> for all my installed AUR packages so that they can upgraded by pacman
> -Syu.

-- 
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808



signature.asc
Description: OpenPGP digital signature

Re: [arch-general] Why isn't SELinux officially supported?

[Martin Kühne via arch-general]

On Wed, Mar 1, 2017 at 5:45 PM, Robert Wong via arch-general
 wrote:
> Thanks.
> But I'm not meaning disappealing, I just felt uncomfortable when I see the 
> packages from the AUR can't be updated by the pacman and I don' feel like 
> using yaourt... Probably it's my obsessive compulsive disorder overtaking me. 
> I'm looking forward to build a local repos for all my installed AUR packages 
> so that they can upgraded by pacman -Syu.

I do run AUR packages and manage them manually in ~/abs, no yaourt or
other third party but pacman's own infrastructure required.

> Though I'm probably still new to Arch, I used Fedora beforehand and I AM 
> CLEARLY know the importance of a well-maintained configuration. And of course 
> I am familiar - not daring to say mastering - with how SELinux works.

Check with the people in charge and get working on it. ;-)

> If I said something wrong, then I apologize. And as I mentioned, I'm not 
> intended to blame anyone of cause a fight, I'm just trying to discuss it's 
> potiential to move it to the official repos.

You didn't, and I usually realize far too late when I sound
condescending. I like to cut with a sharp corner, though, apparently
I'm not unaffected by my own conditions and shortcomings...

cheers!
mar77i

Re: [arch-general] Why isn't SELinux officially supported?

[Robert Wong via arch-general]

Thanks.
But I'm not meaning disappealing, I just felt uncomfortable when I see the 
packages from the AUR can't be updated by the pacman and I don' feel like using 
yaourt... Probably it's my obsessive compulsive disorder overtaking me. I'm 
looking forward to build a local repos for all my installed AUR packages so 
that they can upgraded by pacman -Syu.
Though I'm probably still new to Arch, I used Fedora beforehand and I AM 
CLEARLY know the importance of a well-maintained configuration. And of course I 
am familiar - not daring to say mastering - with how SELinux works.
If I said something wrong, then I apologize. And as I mentioned, I'm not 
intended to blame anyone of cause a fight, I'm just trying to discuss it's 
potiential to move it to the official repos.
Now that I have read the formal posts, and I think I've already have a clear 
image of 'why'.
Sorry to make you feel uncomfortable by my words. I'm from a non-English 
country and I'm not good at expressing.

RW

On Mar 2, 2017, at 12:16 AM, Martin Kühne via arch-general 
 wrote:

> On Wed, Mar 1, 2017 at 4:51 PM, Robert Wong via arch-general
>  wrote:
>> Coming up:
>> ...and detailed set up process on the Wiki, why can't those packages 
>> magically be maintained at the official repos? Since the upgrade experience 
>> of AUR packages are trully awkward... And I don't consider it safe to 
>> replace most of the critical packages with AUR packages...
> 
> Wow. Interesting how the idea of a binary produced on your own machine
> appeals less to you than a binary package delivered  to you from
> somewhere. Of course the arch repos aren't anywhere, but the way you
> put it it would appear you don't feel up to the job of maintaining a
> local build of security infrastructure of the kernel.
> 
> To take away the result of a big part of discussions about security
> infrastructure, apparently, nobody appears to deem the job of
> maintaining and configuring security infrastructure for the official
> repository worth their time, which I think is at least part of the
> reason it's not there. I am probably oversimplifying the matter here,
> this is just to get you thinking.
> 
> If you want to run a secure setup, how about you throw away all
> software you don't trust personally and are capable of reading its
> source code. It's an interesting experiment and likely helps you find
> the priorities to learn what matters about the software you run. Also
> note that security infrastructure does not replace well-tuned
> configuration, since it's apparently easier to misconfigure SELinux
> than it is to use a good key cypher and deactivating password-based
> logins on your SSH servers.
> 
> cheers!
> mar77i
> 

Re: [arch-general] Why isn't SELinux officially supported?

[Martin Kühne via arch-general]

On Wed, Mar 1, 2017 at 4:51 PM, Robert Wong via arch-general
 wrote:
> Coming up:
> ...and detailed set up process on the Wiki, why can't those packages 
> magically be maintained at the official repos? Since the upgrade experience 
> of AUR packages are trully awkward... And I don't consider it safe to replace 
> most of the critical packages with AUR packages...

Wow. Interesting how the idea of a binary produced on your own machine
appeals less to you than a binary package delivered  to you from
somewhere. Of course the arch repos aren't anywhere, but the way you
put it it would appear you don't feel up to the job of maintaining a
local build of security infrastructure of the kernel.

To take away the result of a big part of discussions about security
infrastructure, apparently, nobody appears to deem the job of
maintaining and configuring security infrastructure for the official
repository worth their time, which I think is at least part of the
reason it's not there. I am probably oversimplifying the matter here,
this is just to get you thinking.

If you want to run a secure setup, how about you throw away all
software you don't trust personally and are capable of reading its
source code. It's an interesting experiment and likely helps you find
the priorities to learn what matters about the software you run. Also
note that security infrastructure does not replace well-tuned
configuration, since it's apparently easier to misconfigure SELinux
than it is to use a good key cypher and deactivating password-based
logins on your SSH servers.

cheers!
mar77i

Re: [arch-general] Why isn't SELinux officially supported?

[Robert Wong via arch-general]

Sorry, pressed 'Send' button accidentally. :(
Coming up:
...and detailed set up process on the Wiki, why can't those packages magically 
be maintained at the official repos? Since the upgrade experience of AUR 
packages are trully awkward... And I don't consider it safe to replace most of 
the critical packages with AUR packages...
Never intended to blame anyone, just wondering if  there is any special reason 
to do so... :Q

RW

On Mar 1, 2017, at 11:43 PM, Robert Wong via arch-general 
 wrote:

> Having been using Arch Linux with Gsecurity-patched Kernel (Though installed 
> a LTS Kernel for emergency fallback.) for half a year, I got a question. I 
> found all the SELinux-concerned packages at the AUR, as well as the detailed 
> 
> RW

Re: [arch-general] Why isn't SELinux officially supported?

[Bruno Pagani via arch-general]

Le 1 mars 2017 07:43:31 GMT-08:00, Robert Wong via arch-general 
 a écrit :
>Having been using Arch Linux with Gsecurity-patched Kernel (Though
>installed a LTS Kernel for emergency fallback.) for half a year, I got
>a question. I found all the SELinux-concerned packages at the AUR, as
>well as the detailed 
>
>RW

This has been widely discussed on this ML, even very recently. I invite you to 
read the archives (on mobile currently, not easy to find and link the relevant 
threads).

It mostly comes down to selinux depending on audit in kernel and this to be an 
issue.

Regards,
Bruno

[arch-general] Why isn't SELinux officially supported?

[Robert Wong via arch-general]

Having been using Arch Linux with Gsecurity-patched Kernel (Though installed a 
LTS Kernel for emergency fallback.) for half a year, I got a question. I found 
all the SELinux-concerned packages at the AUR, as well as the detailed 

RW