[arch-general] [arch-dev-public] Trimming down our default kernel configuration

Genes Lists lists at sapience.com
Fri Mar 28 14:36:16 EDT 2014

On 03/28/2014 09:12 AM, Daniel Micay wrote:
> Security needs to be simple, predictable and well understood. It needs
> to be provably correct and easily audited. SELinux is none of these
> things. I don't really understand why a distribution striving for
> simplicity would ever enable it.

I think the above is a tad misleading.

While we don't yet have user space tools - which was I believe a key, if 
not critical, point Thomas was making - selinux is very useful and adds 
a strong security layer.  The kernel code is well audited and well 
tested in real world too.  Just not by us Arch folks - at least today - 
without the user space and policy support in core.

I cannot speak for AppArmor, but I do recall when the big debate to 
include it in mainline or not was going on, that Linus was a big 
proponent of using both together. Hence, today both are there.

And, it's not only for servers but for laptops as well. In fact newer 
versions of Android phones/tablets  use selinux enabled in enforcing 
mode. So with the right user space policies (redhat has some good base 
configs here) selinux could be a strong add for Arch linux in the future 
- maybe.

The discussion here, I thought, was whether having it in the stock Arch 
kernel offers any value to the community today. As Thomas said - it's 
pretty easy to build a custom kernel via abs if you want to work on user 
space policy etc.

I would actually like to see Arch have selinux support - it would make 
us stronger - but we just don't have the tools and policies today.


More information about the arch-general mailing list