Re: Attempts at security
Am Freitag 02 Februar 2007 21:14 schrieb Reinhard Tartler:
> Hendrik Sattler <firstname.lastname@example.org> writes:
> > And everybody gets the SE Linux overhead if he wants or not?
> Which overhead does SE Linux impose to you?
Take a look at the extra paths in the LSM that the kernel runs for many system
calls. There is no selective choice in what to turn on, except the rules that
you specify later down that road.
ALthough capabilities also use the LSM (which sucks, btw), the are pretty
simple (this is _not_ a comparison to SE Linux).
> > The current system does not give you perfect security but neither does
> > adding SE Linux. Instead, you probably get annoying permission
> > problems.
> > Name a few guys that really likes to use this on a private machine and
> > some real-life improvements that it brings. Hint: "increased security" is
> > not an argument.
> I consider "increased security" a very valid argument. The DAC security
> model is quite outdated now and doesn't really match real world security
> concerns most workstations are experiencing today!
"Real world security concerns"? Please describe your "real world" and compare
to the other existant "real world"s.
> > Not being able to change the cause to the better doesn't mean to
> > introduce a mess to control the result. And I really hope that Debian
> > never considers installing+enabling selinux by default.
> IIRC, debian/etch already does already install selinux today without you
> even noticing it.
It is not enabled by default. That is the other point: you get that selinux
integration if you want or not.