Just a quick update for SELinux in etch. With Manoj picking up work on it again (you might have noticed the large influx of new SELinux related packages these days, bringing our toolchain up to date again), and rjc having setup a SELinux development box for me, we’re actually making some progress on SELinux for etch now. Uwe Hermann also blogged about SELinux on Debian recently.

There are tons of small nuisances with SELinux on Debian left. I’ve started filing bugs and tagging them with the “selinux” usertag. It’s in the details. For example mawk and gawk both try to ioctl any file they read as if it were a serial terminal. Which of course causes SELinux to log an audit error, since the init script or whichever was calling awk didn’t have the permissions to ioctl a config file.

Then there is /dev/xconsole - it’s created by the syslogd init script (shouldn’t maybe this be handled by udev), it’s barely used by anyone, and SELinux policy upstream wants to keep it in the xserver policy, and claims its main use is to be able to feed it the output from programs started by the window manager (instead of .xsession-errors). Which is a seriously broken design, since it’s not multiuser capable. Anyway, our current options are to

  • diverge from upstream in policy, putting xconsole into logging policy
  • make xserver an mandatory policy module
  • convince the syslogd maintainer to disable xconsole by default
  • convince upstream to at least split it out from the xserver module into a separate xconsole module and make that mandatory

Of course I was quickly flamed for filing a bug against exim stating that there currently is no SELinux policy for it, and people thus will have to use postfix or sendmail instead. But heck: people trying out SELinux on Debian will run into this problem, you know. I’d certainly prefer people to use exim instead of sendmail (I’m more of a postfix guy), but unless someone writes a policy for exim, people can’t use it with SELinux. I have no idea how exim works (where its queues live, expected behaviour and so on), so I can’t write a policy.

Now to start a real flamewar - how about making postfix the new default MTA for Debian with etch? /me runs and hides.