On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:

quoted text
> On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
>> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
>> compiled SELinux into the libraries, although the SELinux policies
>> aren't ready on debian yet.  The whole focus seems to be to make  
>> Linux
>> "more secure".  I'm not sure what to make of it.  I figure that if  
>> you
>> want secure, you switch to OBSD.
>>
>> Could someone who knows both the details of OBSDs security  
>> enhancements
>> and the details of SELinux comment?
>
> I don't know all the details, and especially not the SELinux details,
> but that won't stop me from commenting.
>
> Not long ago I was talking with a Linux person about security, and  
> they
> pointed me to a set of patches that did a lot of nifty stuff. Good
> stuff, like the things you find OpenBSD doing. But it's not in the
> mainline kernel, it's a set of patches.
>
> Security should not be grafted on, it should be integrated into the
> main development process. I'm sure the patch maintainers are doing  
> their
> best, but this doesn't change the fundamental flaw in the process.  
> It's
> not a flaw of their making, it's inherent in the situation. But it's
> still a flaw.
>
> Compare that to a complete operating system (OpenBSD) where  
> security is part of
> code quality, and part of the normal mainline development.

If I could add one thing to Darrin's comment (of which I agree  
completely), it would be this:

SELinux is a button.  Buttons are easy to turn off.


---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net