Yaro Kasear (2011-04-08 11:32): > > > > > So in general what is the benefits / costs for SELinux? > > > > Benefits: Probably the most effective MAC for Linux. Once it runs it's > arguably not too hard to allow/deny certain access due to some third party > tools simplifying things a bit. You can't deny the NSA-grade security it > brings which the U.S. military requires AT MINIMUM for critical > infrastructure. > > Costs: Painfully overcomplicated. Painfully difficult to set up and configure. > Requires well over half the core system to be patched to support it, > potentially introducing bugs. There was a mondo security vulnerability a few > years back that could actually use SELinux to grant unrestricted access to > the system. Only a few filesystems actually have support for its attributes. > Even its policies have to be recompiled if they have to change. Way too > much can easily go wrong during set up without you having even the > slightest clue how to figure out exactly what DID, turning "repairs" for > SELinux into an almost weekend-long Google crawl. > > Benefits from a base Arch perspective: I can't honestly see how this would > benefit Arch from putting it in the base group. > > Costs from a base Arch perspective: Big one being that it's entirely > unnecessary, and base is meant to have ONLY what's needed to have a > more or less FUNCTIONAL Linux system. Being secure is not a requirement > of being functional. Other cost being that it would introduce an entirely new > layer of configuration we don't need at install time, and would also guarantee > that Arch would only be able to "officially" support the few filesystems that > actually support SELinux's labelling. > > To sum up, it's GREAT when you actually NEED the security benefits it can > bring, otherwise, it's better to seek out AppArmor (Which I believe is > actually defunct.) or Tomoyo (Which I can never find any information on.), or > just leave MAC off altogether if you're not doing anything altogether mission > or security critical. Home desktop users would probably be better off ignoring > MAC. An interesting read, thanks. -- -- Rogutės Sparnuotos
