On Sep 22, 2007, at 12:28 PM, "Ihar Hrachyshka" <ihar.hrachyshka@gmail.com 
 > wrote:

quoted text
> 2007/9/22, Jason Dixon <jason@dixongroup.net>:
>> On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
>>
>>> On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
>>>> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
>>>> compiled SELinux into the libraries, although the SELinux policies
>>>> aren't ready on debian yet.  The whole focus seems to be to make
>>>> Linux
>>>> "more secure".  I'm not sure what to make of it.  I figure that if
>>>> you
>>>> want secure, you switch to OBSD.
>>>>
>>>> Could someone who knows both the details of OBSDs security
>>>> enhancements
>>>> and the details of SELinux comment?
>>>
>>> I don't know all the details, and especially not the SELinux  
>>> details,
>>> but that won't stop me from commenting.
>>>
>>> Not long ago I was talking with a Linux person about security, and
>>> they
>>> pointed me to a set of patches that did a lot of nifty stuff. Good
>>> stuff, like the things you find OpenBSD doing. But it's not in the
>>> mainline kernel, it's a set of patches.
>>>
>>> Security should not be grafted on, it should be integrated into the
>>> main development process. I'm sure the patch maintainers are doing
>>> their
>>> best, but this doesn't change the fundamental flaw in the process.
>>> It's
>>> not a flaw of their making, it's inherent in the situation. But it's
>>> still a flaw.
>>>
>>> Compare that to a complete operating system (OpenBSD) where
>>> security is part of
>>> code quality, and part of the normal mainline development.
>>
>> If I could add one thing to Darrin's comment (of which I agree
>> completely), it would be this:
>>
>> SELinux is a button.  Buttons are easy to turn off.
>>
> You can also turn off OBSD security features by lowering its level,  
> isn't it?

Only in single-user mode, not in a running multi-user system.  Please  
see securelevel(8).

quoted text
> Men, just say that OBSD doesn't support task-based security policies,
> sure. It's not so bad, not really, because most of OSs don't have it
> too. But please stop blaming about Linux flaws: SELinux IS in kernel
> mainline, so what's the problems with it, hum?
>>
>>

It's a button.  Buttons are easily turned off.  Ask *any* Linux server  
admin.  Odds are 10-1 they've disabled SELinux.

---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net