On Thu, Jan 1, 2015 at 7:25 PM, Alec Ten Harmsel <a...@alectenharmsel.com> wrote:
> Context for my replies - I only use Gentoo in a personal setting. > > On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: > > I was wondering if there was any harm in disabling the NSA SELinux > > support in my gentoo-sources based kernel. > > I've never had SELinux enabled in my gentoo kernels. > > > > > The kernel config help for the NSA SELinux options suggests that > > having them enabled is optional. > > Yup, totally is. > > > > > If I understand it correctly, having these options on in the kernel > > config alone does not imply that my system is using NSA SELinux. > > According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch > > of other things needs to be taken care of to have SELinux on. > > That's correct - I don't know what software/config one needs, but > SELinux is enabled/disabled/configured in userspace. > > > > > Is SElinux something that the folk here would recommend using on a > > personal, rather than a production system? Or would you recommend > > using something else, if anything at all? > > > > Thanks. > > > > I would recommend using nothing. From what little I understand about > security-related stuff, SELinux constrains the resources available to > programs (sockets, files, etc.) so vulnerabilities in various server > programs don't lead to an entire system being compromised. > > SELinux is the only one I've had a bit of experience with - I run CentOS > (SELinux is enabled by default) for some personal-use-only services that > I want to run without dealing with Gentoo. My first step in a CentOS > install is to disable SELinux (and the firewall, hehe) to avoid dealing > with the pain of wading through documentation for hours on end. > > The one use case that seems pretty interesting for personal use is > something I know for sure Ubuntu does - an AppArmor profile for all of > the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of > the same things as SELinux, and the browser profiles guard against rogue > JavaScript from doing bad things. > > If I got anything wrong security-wise, I'm sorry, and hopefully someone > corrects it quickly. > > Hope this helps, > > Alec > > Understood. Thanks.
