Re: Updated SELinux Release

To: Colin Walters <walters@verbum.org>
Cc: Manoj Srivastava <manoj.srivastava@stdc.com>, selinux@tycho.nsa.gov, debian-devel@lists.debian.org
Subject: Re: Updated SELinux Release
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Fri, 5 Nov 2004 15:57:52 +0000
Message-id: <[🔎] 20041105155752.GC5565@lkcl.net>
Mail-followup-to: Colin Walters <walters@verbum.org>, Manoj Srivastava <manoj.srivastava@stdc.com>, selinux@tycho.nsa.gov, debian-devel@lists.debian.org
In-reply-to: <[🔎] 1099667461.25416.27.camel@nexus.verbum.private>
References: <1099496380.1213.111.camel@moss-spartans.epoch.ncsc.mil> <Pine.LNX.4.58.0411031908500.12297@d10systems.homelinux.com> <1099534538.3875.6.camel@nexus.verbum.private> <87k6t2qepg.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 20041104131544.GC5461@lkcl.net> <[🔎] 1099627566.25416.6.camel@nexus.verbum.private> <[🔎] 20041105102853.GA5565@lkcl.net> <[🔎] 1099667461.25416.27.camel@nexus.verbum.private>

On Fri, Nov 05, 2004 at 10:11:01AM -0500, Colin Walters wrote:
> On Fri, 2004-11-05 at 10:28 +0000, Luke Kenneth Casson Leighton wrote:
> > On Thu, Nov 04, 2004 at 11:06:06PM -0500, Colin Walters wrote:
> > > On Thu, 2004-11-04 at 13:15 +0000, Luke Kenneth Casson Leighton wrote:
> > > 
> > > >  default: no.
> > > 
> > > Why not on by default, 
> > 
> >  i would agree with stephen that it should be compiled in,
> >  default options "selinux=no".
> 
> I don't believe Stephen said that.  He said that the performance hit in
> that case is just the LSM hooks.

 oh. yes.

> >  that gives people the choice, 
> 
> It doesn't make sense to make security a "choice".  The current Linux
> security model is simply inadequate.

 response 1: *shrug*.  that's their choice - and their problem.

 response 2: you don't have to tell _me_ that - i'm the mad one who is
 actively working on a debian/selinux distro!!! :)

 response 3: _is_ it the job of debian developers to dictate the minimum
 acceptable security level?

 basically what i mean is, in gentoo, it's a no-brainer: you set options
 at the beginning of your build, come back [2 weeks? :) ] later and you
 have a system with PAX stack smashing, lovely kernel, everything
 hunky-dory.

 debian doesn't GIVE users that choice [remember the adamantix
 bun-fight, anyone?] and instead settles for about the lowest possible
 common denominator - no consideration to modern security AT ALL!

> > without affecting performance.
> 
> That's just a bug, and it's being worked on.  

 cool.

> Personally I don't notice any performance problems.

 maybe it's just me with my weird setup [very likely], but
 running mozilla under KDE 3.3.0 with selinux 2.6.8.1-selinux1
 on a 256mb system P4 2.4Ghz) is a 10-11 second startup,
 whereas if i set selinux=0 i've seen as fast as a THREE second
 startup time.

 i've put KDE_IS_PRELINKED=1, KDE_FORK_SLAVES=1 into the
 /usr/bin/startkde and i've run prelink, but i have the nvidia drivers
 so the x-windows glx drivers are symlinks, which stops prelink from
 being able to do its job on them.

 also i recompiled kde 3.3.0 .debs with the latest gcc 3.3.

 so i'm not _entirely_ confident that my setup is a good example to
 follow (!)

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

Reply to:

Follow-Ups:
- Re: Updated SELinux Release
  - From: Andres Salomon <dilinger@voxel.net>
- Re: Updated SELinux Release
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Updated SELinux Release
  - From: Colin Walters <walters@verbum.org>

References:
- Re: Updated SELinux Release
  - From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
- Re: Updated SELinux Release
  - From: Colin Walters <walters@verbum.org>
- Re: Updated SELinux Release
  - From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
- Re: Updated SELinux Release
  - From: Colin Walters <walters@verbum.org>

Prev by Date: Re: mozilla-*-locale-* packages?
Next by Date: Re: Updated SELinux Release
Previous by thread: Re: Updated SELinux Release
Next by thread: Re: Updated SELinux Release
Index(es):
- Date
- Thread