Re: OBSD's perspective on SELinux

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Jason Dixon <jason@...>

To: Ihar Hrachyshka <ihar.hrachyshka@...>

Cc: misc@openbsd.org <misc@...>

Subject: Re: OBSD's perspective on SELinux

Date: Saturday, September 22, 2007 - 1:48 pm

On Sep 22, 2007, at 12:28 PM, "Ihar Hrachyshka"  wrote:
> 2007/9/22, Jason Dixon :

quoted text>> On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:

>>

>>> On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:

>>>> Linux has SELinux in its 2.6 kernel and debian has gone ahead and

>>>> compiled SELinux into the libraries, although the SELinux policies

>>>> aren't ready on debian yet.  The whole focus seems to be to make

>>>> Linux

>>>> "more secure".  I'm not sure what to make of it.  I figure that if

>>>> you

>>>> want secure, you switch to OBSD.

>>>>

>>>> Could someone who knows both the details of OBSDs security

>>>> enhancements

>>>> and the details of SELinux comment?

>>>

>>> I don't know all the details, and especially not the SELinux

>>> details,

>>> but that won't stop me from commenting.

>>>

>>> Not long ago I was talking with a Linux person about security, and

>>> they

>>> pointed me to a set of patches that did a lot of nifty stuff. Good

>>> stuff, like the things you find OpenBSD doing. But it's not in the

>>> mainline kernel, it's a set of patches.

>>>

>>> Security should not be grafted on, it should be integrated into the

>>> main development process. I'm sure the patch maintainers are doing

>>> their

>>> best, but this doesn't change the fundamental flaw in the process.

>>> It's

>>> not a flaw of their making, it's inherent in the situation. But it's

>>> still a flaw.

>>>

>>> Compare that to a complete operating system (OpenBSD) where

>>> security is part of

>>> code quality, and part of the normal mainline development.

>>

>> If I could add one thing to Darrin's comment (of which I agree

>> completely), it would be this:

>>

>> SELinux is a button.  Buttons are easy to turn off.

>>

> You can also turn off OBSD security features by lowering its level,

> isn't it?
Only in single-user mode, not in a running multi-user system.  Please

see securelevel(8).
> Men, just say that OBSD doesn't support task-based security policies,

quoted text> sure. It's not so bad, not really, because most of OSs don't have it

> too. But please stop blaming about Linux flaws: SELinux IS in kernel

> mainline, so what's the problems with it, hum?

>>

>>
It's a button.  Buttons are easily turned off.  Ask *any* Linux server

admin.  Odds are 10-1 they've disabled SELinux.
---

Jason Dixon

DixonGroup Consulting

http://www.dixongroup.net

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: OBSD's perspective on SELinux, Jason Dixon, (Sat Sep 22, 1:48 pm)

Navigation

Popular discussions


linux-kernel:
David Miller	[GIT]: Networking
Greg KH	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Geert Uytterhoeven	Re: linux-next: Tree for August 14
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
git:

linux-netdev:
Arjan van de Ven	Re: [GIT]: Networking
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Woodhouse	Re: [bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
openbsd-misc:

Colocation donated by: