[arch-general] base stuff

Rogutės Sparnuotos rogutes at googlemail.com
Sat Apr 9 06:49:13 EDT 2011 

Yaro Kasear (2011-04-08 11:32):
> 
> > 
> > So in general what is the benefits / costs for SELinux?
> > 
> 
> Benefits: Probably the most effective MAC for Linux. Once it runs it's 
> arguably not too hard to allow/deny certain access due to some third party 
> tools simplifying things a bit. You can't deny the NSA-grade security it 
> brings which the U.S. military requires AT MINIMUM for critical 
> infrastructure.
> 
> Costs: Painfully overcomplicated. Painfully difficult to set up and configure. 
> Requires well over half the core system to be patched to support it, 
> potentially introducing bugs. There was a mondo security vulnerability a few 
> years back that could actually use SELinux to grant unrestricted access to 
> the system. Only a few filesystems actually have support for its attributes. 
> Even its policies have to be recompiled if they have to change. Way too 
> much can easily go wrong during set up without you having even the 
> slightest clue how to figure out exactly what DID, turning "repairs" for 
> SELinux into an almost weekend-long Google crawl.
> 
> Benefits from a base Arch perspective: I can't honestly see how this would 
> benefit Arch from putting it in the base group.
> 
> Costs from a base Arch perspective: Big one being that it's entirely 
> unnecessary, and base is meant to have ONLY what's needed to have a 
> more or less FUNCTIONAL Linux system. Being secure is not a requirement 
> of being functional. Other cost being that it would introduce an entirely new 
> layer of configuration we don't need at install time, and would also guarantee 
> that Arch would only be able to "officially" support the few filesystems that 
> actually support SELinux's labelling.
> 
> To sum up, it's GREAT when you actually NEED the security benefits it can 
> bring, otherwise, it's better to seek out AppArmor (Which I believe is 
> actually defunct.) or Tomoyo (Which I can never find any information on.), or 
> just leave MAC off altogether if you're not doing anything altogether mission 
> or security critical. Home desktop users would probably be better off ignoring 
> MAC.

An interesting read, thanks.

-- 
--  Rogutės Sparnuotos

More information about the arch-general mailing list