Re: OBSD's perspective on SELinux

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Douglas A. Tutty <dtutty@...>

To: <misc@...>

Subject: Re: OBSD's perspective on SELinux

Date: Saturday, September 22, 2007 - 4:21 pm

On Sat, Sep 22, 2007 at 11:50:08AM -0700, Ted Unangst wrote:

quoted text

> On 9/22/07, Douglas A. Tutty wrote:
> > Linux has SELinux in its 2.6 kernel and debian has gone ahead and
> > compiled SELinux into the libraries, although the SELinux policies
> > aren't ready on debian yet.
>
> rhetorical question: why aren't the policies ready?
>
> the problem with security by policy is that the policy is always wrong.
>
> exercise for the reader: find somebody using SELinux. ask them to
> describe their policy over the phone. then repeat it back to them.
> did you get it right?

I only know (via the mailing list) people running Debian. Debian comes
with the SELinux patches compiled into the libraries and kernel but the
SELinux policies haven't been integrated into the "Debian way of doing
things yet". In other words, since debian packages, by policy, must
"just work" on install (come with a reasonable default setup), (except
for a few things like the Shorewall firewall builder that installs to a
disabled state that prints a warning), once Debian decides on a SELinux
policy, all the thousands of packages have to be set up to detect the
SELinux policy on the box at the time and integrate themselves into it.

That's the limit to what I know about it. It sounds like solving the
opening of a can of worms by dumping it into a vermiculture pot.

Anyway, thanks for the discussion. For security I'll stick with OBSD.
For watching movies, I'll stick with Debian until someone builds a
video card that doesn't need a blob driver to run the hardware
converter.

Doug.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 11:34 am)

Re: OBSD's perspective on SELinux, Damien Miller, (Mon Sep 24, 11:09 pm)

Re: OBSD's perspective on SELinux, Chris Kuethe, (Mon Sep 24, 10:52 am)

Re: OBSD's perspective on SELinux, Marco Peereboom, (Sat Sep 22, 11:27 pm)

Re: OBSD's perspective on SELinux, L. V. Lammert, (Sat Sep 22, 7:47 pm)

Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Sun Sep 23, 5:54 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 1:29 pm)

Re: OBSD's perspective on SELinux, Jacob Yocom-Piatt, (Mon Sep 24, 2:17 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 3:14 pm)

Re: OBSD's perspective on SELinux, Brian Candler, (Mon Sep 24, 11:31 am)

Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Mon Sep 24, 11:59 am)

Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 6:06 am)

Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 8:34 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Joachim Schipper, (Sun Sep 23, 6:35 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 11:18 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Lars Hansson, (Tue Sep 25, 1:57 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Darren Spruell, (Tue Sep 25, 2:32 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Gilles Chehade, (Mon Sep 24, 5:40 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 12:02 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Antti Harri, (Mon Sep 24, 1:32 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Rui Miguel Silva Seabra, (Sun Sep 23, 6:38 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Sat Sep 22, 2:50 pm)

Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 4:21 pm)

Re: OBSD's perspective on SELinux, , (Sat Sep 22, 7:20 pm)

Re: OBSD's perspective on SELinux, Stuart Henderson, (Sat Sep 22, 4:00 pm)

Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 12:29 pm)

Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 12:45 pm)

Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 4:39 pm)

Re: OBSD's perspective on SELinux, Darrin Chandler, (Sat Sep 22, 12:00 pm)

Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 12:52 pm)

Re: OBSD's perspective on SELinux, Jason Dixon, (Sat Sep 22, 12:20 pm)

Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 1:21 pm)

Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 1:38 pm)

Re: OBSD's perspective on SELinux, David Gwynne, (Mon Sep 24, 10:08 am)

Re: OBSD's perspective on SELinux, Jason Dixon, (Mon Sep 24, 10:25 am)

Re: OBSD's perspective on SELinux, , (Mon Sep 24, 2:28 pm)

Re: OBSD's perspective on SELinux, Brian Candler, (Sun Sep 23, 3:25 pm)

Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 2:00 pm)

Re: OBSD's perspective on SELinux, Jeffrey 'jf' Lim, (Sat Sep 22, 12:26 pm)


linux-kernel:
Stephen Smalley	Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Jan Engelhardt	intel iommu (Re: -mm merge plans for 2.6.23)
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
git:

linux-activists:
David Fenyes	sigsetmask()? (LINUX)
Stephen Tweedie	Unmounting root (no kidding!) [was: Some Linux problems---solved]
Les Andrzejewski	X386/WD90C31/SUMSUNG SYNC MASTER 4
Doug Evans	Re: Stabilizing Linux
linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Linus Torvalds	Re: [GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Herbert Xu	Re: [PATCH] myr10ge: again fix lro_gen_skb() alignment

Re: OBSD's perspective on SELinux

Online users