I'm giving up on backporting SELinux to sarge. Too many changes are needed in too many apps to make them really compatible with SELinux. Nothing serious, but just lots and lots of small things.

For example, the amavisd-new package will need a cronjob modification. This has already been resolved (somewhat) for unstable, but it means I would need to provide a modified amavisd-new package or a backport.

I hope that when etch gets released end of the year (and I actually believe this will happen), many issues will already be resolved. But it depends of course on many people using SELinux in different settings.

My most-annoying-issue with SELinux on Debian: cron bug #333837, open for some 300 days now.

The debian cron package will backup e.g. /etc/shadow, which actually sounds like a quite inappropriate place for this task. And of course it's all in one file named /etc/cron.d/standard, instead of e.g. /etc/cron.d/backup-key-system-files or so, which I could then label backup_exec_t or something else to assign the special privilege of reading shadow files...

It's bugs like these, unhandled for 300 days, together with having the impression of being the only one trying to get SELinux running and receiving basically no support by the SELinux upstream "community" (which is almost exclusively "enterprise", it seems). It's pretty much like everybody wants you to not use SELinux. Or in my case, not enable people to use SELinux on Debian, since I'm not just "joe average user", but actually trying to add SELinux support to the Debian distribution (which would help Ubuntu to get SELinux, too. The Ubuntu people seem to have given up on SELinux already).

Debian has a small app named "savelog" which can rotate logfiles, compressing the old versions and rotating filenames. It's used in a couple of startup scripts and cron jobs.

The script is labeled logrotate_exec_t in SELinux, giving it the appropriate permissions to modify logfiles.

However, it's also used to rotate backup files of e.g. /var/lib/dpkg/status; which is not a log file; the backups are kept in /var/backups, which is somewhat appropriate.

However, the files in the backup dir are labeled backup_store_t, and I'm not sure if I want all logrotate apps to be able to write there...

It would be nice if we wouldn't have

• multiple apps for log rotation (e.g. logrotate, savelog, built-in functionality of some services like metalog)
• Cleaner separation of config files and shell scripts, so SELinux domain transitions could be inserted easier. If you stuff a whole shell script into /etc/cron.d/foobar, you're doing something really bad...