On Fri, Mar 28, 2014 at 12:54:44PM +0200, Arthur Țițeică wrote: > It raises a question mark that the two most important components of a system > (systemd and the kernel) have security measures disabled. > > People in this thread like to put out the over subjective "lightweight" factor > but still there are no bug reports or any other solid evidence that the kernel > ate their computers since apparmor, selinux and audit were semi-silently > enabled a few builds back. > > The facts will remain though: > > * the kernel will still be "everything and the kitchen sink". > * no provable performance enhancement so far. > * security measures will get back at square 1. > There seems to be a general, significant misunderstanding floating around this thread. The "security features" in question are not passive; their mere existence within the binary kernel does not improve security. They are modules that allow users to fine-tune certain security features through the kernel using third-party tools, features that are almost exclusively useful for server administration (since, if you're the only one with access to your single-user machine, they won't tell you anything you can't already see without them). If you've never installed and configured the SELinux/AppArmor/Tomoyo userspace packages, you've never had the security they purport to provide. Hence the point of removing their modules from the kernel isn't performance; it's that *no one uses them,* and they clutter up the kernel configuration for no good reason at all, making it more tedious to maintain and just a bit more annoying to configure for individual users for absolutely no benefit. -- "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." - Douglas Adams
