On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
quoted text > On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
>> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
>> compiled SELinux into the libraries, although the SELinux policies
>> aren't ready on debian yet. The whole focus seems to be to make
>> Linux
>> "more secure". I'm not sure what to make of it. I figure that if
>> you
>> want secure, you switch to OBSD.
>>
>> Could someone who knows both the details of OBSDs security
>> enhancements
>> and the details of SELinux comment?
>
> I don't know all the details, and especially not the SELinux details,
> but that won't stop me from commenting.
>
> Not long ago I was talking with a Linux person about security, and
> they
> pointed me to a set of patches that did a lot of nifty stuff. Good
> stuff, like the things you find OpenBSD doing. But it's not in the
> mainline kernel, it's a set of patches.
>
> Security should not be grafted on, it should be integrated into the
> main development process. I'm sure the patch maintainers are doing
> their
> best, but this doesn't change the fundamental flaw in the process.
> It's
> not a flaw of their making, it's inherent in the situation. But it's
> still a flaw.
>
> Compare that to a complete operating system (OpenBSD) where
> security is part of
> code quality, and part of the normal mainline development.
If I could add one thing to Darrin's comment (of which I agree
completely), it would be this:
SELinux is a button. Buttons are easy to turn off.
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
