Re: Debian openssh option review: considering splitting out GSS-API key exchange
In days of yore (Tue, 02 Apr 2024), Colin Watson thus quoth:
> TCP wrappers
> ============
Not used hosts.{allow,deny} for the last 17 years (since I started my
current employment) so I am biased. Honest opinion is that firewall and
fail2ban have pretty much obsoleted TCP wrappers.
> SELinux
> =======
>
> For the time being my inclination is to leave this be, but I've seen the
> suggestion that pam_selinux is basically all you need
> (https://infosec.exchange/@alwayscurious/112192949171400643), so maybe
> it would be an option to drop --with-selinux in favour of that? I've
> never used SELinux, so I'd need an expert to weigh on here.
If you need an expert on SELinux, you need Dan Walsh.
I have used SELinux for the last 17 years, from when it was a monolithic
policy to what it is like today in RHEL. SELinux is - as far as I know -
not an issue and have a fail-close rather than fail-open approach. IMHO,
if it is not used and you have the time to spare to drop it, do, otherwise
it should be safe with the status-quo on this.
And should Debian pick SELinux up fully and enable a targeted policy,
well, you will want this anyway.
--
Kind regards,
/S
Reply to: