[arch-general] base stuff (was: Change Arch's default crond)

[Thomas S Hatch]

On Wed, Apr 6, 2011 at 9:01 PM, DrCR <drcrlinux at gmail.com> wrote:

> Could you guys elaborate on why you dislike selinux. I would
> appreciate it. Do you prefer AppArmor, or do you dislike that as well?
>
>
> On Wed, Apr 6, 2011 at 7:13 PM, Grigorios Bouzakis <grbzks at xsmail.com>
> wrote:
> >> As for adding SELinux support in base but keeping it turned off by
> default,
> >> +1
> >
> > Although this isnt a vote, mine was for no selinux at all, so its just 1.
> :)
> >
>
>
> 2011/4/6 Ángel Velásquez <angvp at archlinux.org>:
> > I personallly dislike SELinux, so -1
> >
>

I spent quite some time as a trainer for Red Hat and taught classes on
SELinux. Normally when someone disliked SELinux it was because it gave them
trouble setting up a particular service. I was fed a never ending stream of
stories about how SELinux had caused somebody pain.

All this did was reaffirm my respect for SELinux, because it was
a security layer that seasoned engineers could not bypass. But it also
helped me understand when, where and how to deploy SELinux so that it was a
functional security layer without becoming cumbersome.

SELinux is superior to app armor in that the secity layer is cleaner and
much more secure, you cannot bypass SELinux without root access, while
AppArmor can be bypassed simply by discovering violations in the security.

AppArmor is easier to use, but SELinux is far more secure.

I think that Arch would benefit from inducing SELinux as an option because
it expands the venues available for Arch Linux systems, I also think that
inclusion in base of SELinux requires a minimal amount of maintenance and
SELinux is completely non-intrusive if it is disabled.

If you want an easy to use, yet thin layer of application level security,
use AppArmor, if you want a solid security layer, learn SELinux.