Differences between revisions 10 and 11
Revision 10 as of 2006-03-11 14:49:50
Size: 2205
Editor: ?ThomasBleher
Comment: Add link to Alioth repository
Revision 11 as of 2006-04-10 11:37:20
Size: 2221
Editor: ?PetrSalinger
Comment:
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:
Please note that ["SELinux"] is a Linux-specific feature and Debian packages shouldn't assume it is present (unless they're Linux-specific packages for some reason). Remember to check wether this is a Linux platform by using dpkg-architecture variables in debian/rules, and conditionalise the libselinux Build-Dependency using [] tags. Something like [!kfreebsd-i386 !hurd-i386] should be fine. Please note that ["SELinux"] is a Linux-specific feature and Debian packages shouldn't assume it is present (unless they're Linux-specific packages for some reason). Remember to check wether this is a Linux platform by using dpkg-architecture variables in debian/rules, and conditionalise the libselinux Build-Dependency using [] tags. Something like [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386] should be fine.

SELinux

Introduction

["SELinux"] was initially a project to port the work developing a mandatory access control architecture done by the National Security Agency (NSA) and the Secure Computing Corporation (SCC) on the Mach and Fluke OS's to Linux.

The NSA ["SELinux"] website can be found [http://www.nsa.gov/selinux/index.cfm here] and a paper on why mandatory access controls are a good and likely a necessary thing can be found [http://www.nsa.gov/selinux/papers/inevit-abs.cfm here].

Debian SELinux support

The Debian packaged Linux kernels have had ["SELinux"] support compiled in (but disabled by default) since version 2.6.9. In order to activate ["SELinux"] the parameter selinux=1 must be passed to the kernel when booting. Alternatively, you can compile your own kernel with ["SELinux"] enabled by default.

The SELinux support is in constant flux, so it is generally recommended that you use an up-to-date installation of unstable if you want to experiment with ["SELinux"] (for instance, the Debian packaged kernels did not include "audit" support until version 2.6.13).

In addition to kernel modifications, several user-space application need to be modified to support ["SELinux"] properly. Patched versions of these should be in Debian unstable by now.

Before you decide to experiment with ["SELinux"], you should read the [:SELinuxSetup:SELinux setup notes] and check ["SELinuxStatus"] for a list of current issues.

Non-Linux Platforms

Please note that ["SELinux"] is a Linux-specific feature and Debian packages shouldn't assume it is present (unless they're Linux-specific packages for some reason). Remember to check wether this is a Linux platform by using dpkg-architecture variables in debian/rules, and conditionalise the libselinux Build-Dependency using [] tags. Something like [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386] should be fine.