Re: OBSD's perspective on SELinux

Sat, 22 Sep 2007 10:53:06 -0700

On Sep 22, 2007, at 12:28 PM, "Ihar Hrachyshka" <[EMAIL PROTECTED] > wrote: 


2007/9/22, Jason Dixon <[EMAIL PROTECTED]>:

On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:


On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:

Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet.  The whole focus seems to be to make
Linux
"more secure".  I'm not sure what to make of it.  I figure that if
you
want secure, you switch to OBSD.

Could someone who knows both the details of OBSDs security
enhancements
and the details of SELinux comment?
I don't know all the details, and especially not the SELinux details, 
but that won't stop me from commenting.

Not long ago I was talking with a Linux person about security, and
they
pointed me to a set of patches that did a lot of nifty stuff. Good
stuff, like the things you find OpenBSD doing. But it's not in the
mainline kernel, it's a set of patches.

Security should not be grafted on, it should be integrated into the
main development process. I'm sure the patch maintainers are doing
their
best, but this doesn't change the fundamental flaw in the process.
It's
not a flaw of their making, it's inherent in the situation. But it's
still a flaw.

Compare that to a complete operating system (OpenBSD) where
security is part of
code quality, and part of the normal mainline development.


If I could add one thing to Darrin's comment (of which I agree
completely), it would be this:

SELinux is a button.  Buttons are easy to turn off.
You can also turn off OBSD security features by lowering its level, isn't it?
Only in single-user mode, not in a running multi-user system. Please see securelevel(8). 


Men, just say that OBSD doesn't support task-based security policies,
sure. It's not so bad, not really, because most of OSs don't have it
too. But please stop blaming about Linux flaws: SELinux IS in kernel
mainline, so what's the problems with it, hum?
It's a button. Buttons are easily turned off. Ask *any* Linux server admin. Odds are 10-1 they've disabled SELinux. 

---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Reply via email to