… actually isn’t that bad. Apparently we are the only distribution shipping a modular policy and doing some smart policy module autoconfiguration and having an upgrade helper tool.

Fedora, having undoubtedly the best SELinux support, only started with Core 5 to actually ship a modular built of the reference policy. Target comes with around 5 policy modules, the other stuff is either in the base module, or more likely, running unconfined. Strict however comes with the extensive set of policy modules in the reference policy. Upon installation of the policy package, all available modules will automatically be installed; judging from the package I downloaded changes in the module selection are not preserved.

Gentoo is still shipping the last officially released toolchain, which can’t to modular builds and can’t compile the current reference policy. So they are also shipping the old policy (as in the selinux-policy-default package, we might actually remove soon).

Ubuntu is probably waiting for us to do most of the work. ;-) I havn’t heard of any SELinux progress with Ubuntu for half a year.

So all in all, SELinux support in Debian is rather good. We just need more people to use it and fine tune it. There are a couple of differences among distributions especially in the init scripts, that require policy changes.