On Fri, Mar 28, 2014 at 12:54:44PM +0200, Arthur Țițeică wrote:
It raises a question mark that the two most important components of a system (systemd and the kernel) have security measures disabled.
People in this thread like to put out the over subjective "lightweight" factor but still there are no bug reports or any other solid evidence that the kernel ate their computers since apparmor, selinux and audit were semi-silently enabled a few builds back.
The facts will remain though:
* the kernel will still be "everything and the kitchen sink". * no provable performance enhancement so far. * security measures will get back at square 1.
There seems to be a general, significant misunderstanding floating around this thread. The "security features" in question are not passive; their mere existence within the binary kernel does not improve security. They are modules that allow users to fine-tune certain security features through the kernel using third-party tools, features that are almost exclusively useful for server administration (since, if you're the only one with access to your single-user machine, they won't tell you anything you can't already see without them). If you've never installed and configured the SELinux/AppArmor/Tomoyo userspace packages, you've never had the security they purport to provide. Hence the point of removing their modules from the kernel isn't performance; it's that *no one uses them,* and they clutter up the kernel configuration for no good reason at all, making it more tedious to maintain and just a bit more annoying to configure for individual users for absolutely no benefit. -- "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." - Douglas Adams