State of Debian SELinux

[Dale Amon <amon@vnl.com>]

[-- Attachment #1: Type: text/plain, Size: 2779 bytes --]

I've set aside the next week to come back to SELinux
and evaluate if it's reached the point where I could
recommmend it for customer sites.

So far Debian SELinux is looking pretty grim, and I'd
like feedback on whether there really is a straight
forward path to install it. By that I mean one with
out a lot of kludges and pain as in the long 
(and already obsolete) description of the Debian 
install in McCarty's O'Reilly book.

I'm starting from a freshly burned Debian stable 
install iso. I do a bog standard install up to
the point where the reboot brings you into aptitude.
I've tried both forks at that point; updating first
in sarge or cancelling. 

I change the sources.list to sid and add Russell's
newselinux package line; then I update and
after selecting all the appropriate packages (and
the 2.6.12 kernel) I upgrade.

Problems: One, I have to deselect cups in the 
policy default because it has an error that causes
the install to fail.

But even without it no go. I assumed I had to
reboot to get the selinuxfs, so I did that. But
the boot complains about it and a manual mount /selinuxfs
claims the kernel doesn't know what it is.

I checked the config; looks like everything associated
with selinux (and with xattr's on various file systems)
is selected. 

The package will still not finish installing. The
error is:

 /usr/bin/checkpolicy: loading policy configuration from policy.conf
 libsepol.expand_abtab_insert: Type conflict!
 Out of memory - unable to check assertions.
 Check assertions failed.

I could fiddle a lot more, but that would be counter
productive: this time around I'm looking for a
reliable and straightforward install, not just
a bit of play time hacking.

Is there an up to date description of the Debian 
install? McCarty's book is *way* out of date; I
could not find a current install procedure on
Russell's site, although such might be buried in
one of his many find tutorials.

Is there a current canonical 1-2-3 procedure for
going from the current debian iso to a fully
installed SELinux system? I don't mind if I have
to fiddle with policy afterwards, but I do want
the comfort of knowing I've got a reliable means
of installing and updating (or talking a customer
through it) if I am to consider using it for real.

Of course the fact that sid seems to be required
is a *huge* negative to start with...

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]