On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
quoted text
> OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
> compact OS done by folks you can trust and actually talk to, use OBSD; if
> you want 'fairly secure Linux' [which has had thousands of hand in it
> including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***.
> Simple and easy to implement, even by less senior Admins.

Can you say "root can only run this and that application when su'ed from
that guy, and may not open any net connection, but open this file and none
else" in OpenBSD? If so, how can I do it? :)

quoted text
> SELinux is **NOT** ready for primetime, unless it's changed tremenduously
> in the past couple of years. Last time we tried it, management was totally
> arcane and the machines would lock up on a regular (monthly) basis. It
> wasn't worth the time to troubleshoot so we went with AppArmor for that
> application.

A couple of years is a long time, in terms of software, so I'd expect such
instabilities, if SELinux is the culprit, to be fixed.

But I won't deny it's learning curve is extremely steep. So steep indeed
that most of the time it's easier to have carefully laid out standard
unix permissions associated with sudo and specific users for specific
software.

The *need* for things like SELinux exists in some niche markets where
higher levels of security are necessary.

Remember: OpenBSD still doesn't have a digitally signed code distribution,
and in some places that means it can't enter! Stupid, I know, but not too
stupid for the "blame game" rules, which sort of ignore the "secure by
design" initiatives.

Rui

-- 
All Hail Discordia!
Today is Sweetmorn, the 47th day of Bureaucracy in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?