[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Attempts at security

On Sat, 03 Feb 2007, Russell Coker wrote:
> One that springs to mind is CONFIG_HIGHMEM4G, it seems only useful if you have 

You need to enable PAE (64GB support) to access the NX bit on ia32, which is
even worse, and that's the reason why my 1GB laptop has a PAE kernel :(

> Another is the fact that all Debian kernels for i686 and similar CPUs are 
> compiled with SMP enabled even though the vast majority of such machines are 
> not SMP.  Until the most recent developments in CPUs implementing the AMD64 

Nowadays the kernel patches itself at runtime, I believe, to reduce the cost
of SMP on UP.  But your point stands, anyway.

Heck, use of ECC memory can slow down a system by as much as 1% AFAIK, and
still, use of ECC is pretty much a given everywhere people really cares
about stability (e.g. you cannot even buy servers from non-joke vendors
without chipkill memory...)

> Anyway, if the overhead of SE Linux in the kernel is something you consider to 
> be a problem then there are many bigger problems that you will have with the 

If the overhead is really big, we can have SE Linux in the kernel as an
optional component.  But it isn't that big when the thing is off.

It *is* quite measurable when it is ON and enforcing policy, but since we
are not talking about whether to enable it by default or not, or even how to
word the question asking the user whether he want it enabled or not, THAT is
not the point.

> Debian kernel packages (or probably any kernel image from a binary 
> distribution).  Best to just compile your own kernel.


> > "Real world security concerns"? Please describe your "real world" and
> > compare to the other existant "real world"s.

Botnets and the mafias behind them.  Trojans.  Script kiddies.

> > It is not enabled by default. That is the other point: you get that selinux
> > integration if you want or not.

Yes, and exactly what is the problem with that?

Have you *ever* looked at the ammount of libraries we link to in Debian?  SE
Linux libs are small compared to most of them, and *far* more useful.

SE Linux is really just an extra library and files laying around in your HD,
as long as you compile your own kernel.  And if you don't compile your own
kernel, its impact is very minimal while disabled *and* you are in no
position to argue anything about performance, as the Debian kernel config is
anything BUT engineered for performance anyway (e.g. everything is a

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: