[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line

Tobias Markus tobias at miglix.eu
Mon Feb 13 15:26:46 UTC 2017


Hi,

On Sun, 2017-02-12 at 20:53 +0100, SET wrote:
> Le dimanche 12 février 2017 18:43:22 CET Tobias Markus a écrit :
> > I would be glad if Arch Linux's official kernel could support SELinux
> > again this way!
> > https://lists.archlinux.org/pipermail/arch-general/2014-March/035679.html
> 
> Thank you for the link you posted. I went through most of the discussion.
> This 
> quote is what strikes me most :
> https://lists.archlinux.org/pipermail/arch-general/2014-March/035658.html
> 
> > That they are disabled at runtime does not mean that they have no impact
> > at runtime. At best, it's "only" a performance impact and at worst, it
> > even causes problems.

The performance reasoning in that threat never really talked about hard metrics,
it was mostly looking at kernel code and guessing what performance impact it
would have. While I do think that there is no such thing as a free lunch, to my
knowledge there are no recent benchmarks comparing syscall performance with and
without the SELinux/audit config options.

> 
> Everything has already been discussed. The global conclusions seem to be :
> 
> Most users don't need SELinux/AppArmor or anything that protects them from 
> themselves;
> Implementing these features in the kernel may lead to more trouble than ease;
> Arch kernel's devs and other devs are not ready for the tremendous tasks 
> following such a decision;

I'm not quite sure which tremendous task you mean? Enabling the audit/SELinux
config option in itself is not really a maintenance burden.

> These features can be compiled in personal kernels if required;

Yes, of course - but wouldn't you agree that the Wiki page asking you to compile
your own kernel first somewhat hinders users interested in trying out SELinux?
Furthermore, I don't think that the theoretical next step in Arch Linux SELinux
support, i.e. userspace tools in [community]/[extra], could ever be reasonably
done if the actual kernel does not support SELinux.

> Arch devs do that on a voluntary basis and can't respond to all requests.
> 
> For me, I'm happy with Arch as it is, I'm happy the previous discussion led
> to 
> the 'no need' conclusion, and I just want to voice I wish it goes on this way.
> 
> Regards.

Greetings
Tobias


More information about the arch-general mailing list