On Sun, 2017-02-12 at 20:53 +0100, SET wrote:
Le dimanche 12 février 2017 18:43:22 CET Tobias Markus a écrit :
I would be glad if Arch Linux's official kernel could support SELinux again this way! https://lists.archlinux.org/pipermail/arch-general/2014-March/035679.html
Thank you for the link you posted. I went through most of the discussion. This quote is what strikes me most : https://lists.archlinux.org/pipermail/arch-general/2014-March/035658.html
That they are disabled at runtime does not mean that they have no impact at runtime. At best, it's "only" a performance impact and at worst, it even causes problems.
The performance reasoning in that threat never really talked about hard metrics, it was mostly looking at kernel code and guessing what performance impact it would have. While I do think that there is no such thing as a free lunch, to my knowledge there are no recent benchmarks comparing syscall performance with and without the SELinux/audit config options.
Everything has already been discussed. The global conclusions seem to be :
Most users don't need SELinux/AppArmor or anything that protects them from themselves; Implementing these features in the kernel may lead to more trouble than ease; Arch kernel's devs and other devs are not ready for the tremendous tasks following such a decision;
I'm not quite sure which tremendous task you mean? Enabling the audit/SELinux config option in itself is not really a maintenance burden.
These features can be compiled in personal kernels if required;
Yes, of course - but wouldn't you agree that the Wiki page asking you to compile your own kernel first somewhat hinders users interested in trying out SELinux? Furthermore, I don't think that the theoretical next step in Arch Linux SELinux support, i.e. userspace tools in [community]/[extra], could ever be reasonably done if the actual kernel does not support SELinux.
Arch devs do that on a voluntary basis and can't respond to all requests.
For me, I'm happy with Arch as it is, I'm happy the previous discussion led to the 'no need' conclusion, and I just want to voice I wish it goes on this way.