On Wed, Apr 6, 2011 at 9:01 PM, DrCR <drcrlinux@xxxxxxxxx> wrote: > Could you guys elaborate on why you dislike selinux. I would > appreciate it. Do you prefer AppArmor, or do you dislike that as well? > > > On Wed, Apr 6, 2011 at 7:13 PM, Grigorios Bouzakis <grbzks@xxxxxxxxxx> > wrote: > >> As for adding SELinux support in base but keeping it turned off by > default, > >> +1 > > > > Although this isnt a vote, mine was for no selinux at all, so its just 1. > :) > > > > > 2011/4/6 Ángel Velásquez <angvp@xxxxxxxxxxxxx>: > > I personallly dislike SELinux, so -1 > > > I spent quite some time as a trainer for Red Hat and taught classes on SELinux. Normally when someone disliked SELinux it was because it gave them trouble setting up a particular service. I was fed a never ending stream of stories about how SELinux had caused somebody pain. All this did was reaffirm my respect for SELinux, because it was a security layer that seasoned engineers could not bypass. But it also helped me understand when, where and how to deploy SELinux so that it was a functional security layer without becoming cumbersome. SELinux is superior to app armor in that the secity layer is cleaner and much more secure, you cannot bypass SELinux without root access, while AppArmor can be bypassed simply by discovering violations in the security. AppArmor is easier to use, but SELinux is far more secure. I think that Arch would benefit from inducing SELinux as an option because it expands the venues available for Arch Linux systems, I also think that inclusion in base of SELinux requires a minimal amount of maintenance and SELinux is completely non-intrusive if it is disabled. If you want an easy to use, yet thin layer of application level security, use AppArmor, if you want a solid security layer, learn SELinux.
