[DSE-Dev] init: delegate selinux operation to separate binary

[Laurent Bigonville]

Le 22/05/19 à 01:45, Dmitry Bogatov a écrit :
> [2019-05-18 15:00] Laurent Bigonville<bigon at debian.org>
>> I've seen that in your commit, I just don't understand why this is even
>> a goal.
> Because I do not want to pay for what I do not use. It is matter of good
> design and Unix way.
>
>> libselinux is really small and only pulls libpcre3 which is pulled by
>> grep (which is Essential). It's not possible today to install debian
>> without libselinux installed anyway.
> Path of a thousand miles starts with a single step.
>
>> Also, what's your plan regarding packaging? Would that executable be
>> put in a separate package?
> Yes, that the plan.

So let's be it clear for the record. I'll personally oppose all patches 
that would undermine the consistency and the experience of using SELinux 
in debian.

As a distribution, debian has historically always been on the side of 
enabling as many build options as possible to provide by default the 
"full experience" to the users. I think that good and consistent 
integration of different options and technologies is more beneficial for 
our users than winning 205kb on the default installation (libpcre is 
already pulled by grep and the sysvinit dependency against libsepol can 
be dropped).

Also, removing selinux support by default would require many packages to 
create different flavors (which is usually a big no-no in debian).

If people feel the urge of removing libselinux library (or other 
libraries starting with "libs") from their system that still something 
that could be done on their side at their cost ; especially that the 
current situation exists for more than 10 years (SELinux support is 
enabled by default in sysvinit and other base packages like PAM since 
2005) and is absolutely not causing any issues what's however to the 
users not enabling SELinux on their system (the library is a noop in 
that case).