On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet. The whole focus seems to be to make
Linux
"more secure". I'm not sure what to make of it. I figure that if
you
want secure, you switch to OBSD.
Could someone who knows both the details of OBSDs security
enhancements
and the details of SELinux comment?
I don't know all the details, and especially not the SELinux details,
but that won't stop me from commenting.
Not long ago I was talking with a Linux person about security, and
they
pointed me to a set of patches that did a lot of nifty stuff. Good
stuff, like the things you find OpenBSD doing. But it's not in the
mainline kernel, it's a set of patches.
Security should not be grafted on, it should be integrated into the
main development process. I'm sure the patch maintainers are doing
their
best, but this doesn't change the fundamental flaw in the process.
It's
not a flaw of their making, it's inherent in the situation. But it's
still a flaw.
Compare that to a complete operating system (OpenBSD) where
security is part of
code quality, and part of the normal mainline development.
If I could add one thing to Darrin's comment (of which I agree
completely), it would be this:
SELinux is a button. Buttons are easy to turn off.
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
