[arch-general] base stuff

Yaro Kasear yaro at marupa.net
Fri Apr 8 12:32:20 EDT 2011 

> 
> So in general what is the benefits / costs for SELinux?
> 

Benefits: Probably the most effective MAC for Linux. Once it runs it's 
arguably not too hard to allow/deny certain access due to some third party 
tools simplifying things a bit. You can't deny the NSA-grade security it 
brings which the U.S. military requires AT MINIMUM for critical 
infrastructure.

Costs: Painfully overcomplicated. Painfully difficult to set up and configure. 
Requires well over half the core system to be patched to support it, 
potentially introducing bugs. There was a mondo security vulnerability a few 
years back that could actually use SELinux to grant unrestricted access to 
the system. Only a few filesystems actually have support for its attributes. 
Even its policies have to be recompiled if they have to change. Way too 
much can easily go wrong during set up without you having even the 
slightest clue how to figure out exactly what DID, turning "repairs" for 
SELinux into an almost weekend-long Google crawl.

Benefits from a base Arch perspective: I can't honestly see how this would 
benefit Arch from putting it in the base group.

Costs from a base Arch perspective: Big one being that it's entirely 
unnecessary, and base is meant to have ONLY what's needed to have a 
more or less FUNCTIONAL Linux system. Being secure is not a requirement 
of being functional. Other cost being that it would introduce an entirely new 
layer of configuration we don't need at install time, and would also guarantee 
that Arch would only be able to "officially" support the few filesystems that 
actually support SELinux's labelling.

To sum up, it's GREAT when you actually NEED the security benefits it can 
bring, otherwise, it's better to seek out AppArmor (Which I believe is 
actually defunct.) or Tomoyo (Which I can never find any information on.), or 
just leave MAC off altogether if you're not doing anything altogether mission 
or security critical. Home desktop users would probably be better off ignoring 
MAC.

More information about the arch-general mailing list