[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux

On Wed, 2005-09-21 at 16:49 -0300, Henrique de Moraes Holschuh wrote:
> On Wed, 21 Sep 2005, Arvind Autar wrote:
> > is no loss  of functionality, why hasn't debian implented SELinux as
> > default?
> It is not that simple.  We are doing it slowly.

To flesh that out some:
	Fine-grain security is a *pain* in the arse.  It's not 
easy to do right, and it necessitates vigilance, since adding new
apps very well might mean new or changed MAC rules.

For systems on insecure or restricted/classified networks, it's
wonderful.  For 98% of us, it's too much complexity for not enough
benefit over:
	carefully chosen apps
	turned-off unused daemons
	a good h/w firewall
	strong iptables rules.

Ron Johnson, Jr.
Temporarily not of Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

"Everybody today seems to be in such a terrible rush, anxious for
greater developments and greater riches and so on, so that
children have very little time for their parents. Parents have
very little time for each other, and in the home begins the
disruption of peace of the world."
Mother Teresa

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: