1 |
On Thu, Jan 1, 2015 at 7:25 PM, Alec Ten Harmsel <alec@××××××××××××××.com> |
2 |
wrote: |
3 |
|
4 |
> Context for my replies - I only use Gentoo in a personal setting. |
5 |
> |
6 |
> On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: |
7 |
> > I was wondering if there was any harm in disabling the NSA SELinux |
8 |
> > support in my gentoo-sources based kernel. |
9 |
> |
10 |
> I've never had SELinux enabled in my gentoo kernels. |
11 |
> |
12 |
> > |
13 |
> > The kernel config help for the NSA SELinux options suggests that |
14 |
> > having them enabled is optional. |
15 |
> |
16 |
> Yup, totally is. |
17 |
> |
18 |
> > |
19 |
> > If I understand it correctly, having these options on in the kernel |
20 |
> > config alone does not imply that my system is using NSA SELinux. |
21 |
> > According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch |
22 |
> > of other things needs to be taken care of to have SELinux on. |
23 |
> |
24 |
> That's correct - I don't know what software/config one needs, but |
25 |
> SELinux is enabled/disabled/configured in userspace. |
26 |
> |
27 |
> > |
28 |
> > Is SElinux something that the folk here would recommend using on a |
29 |
> > personal, rather than a production system? Or would you recommend |
30 |
> > using something else, if anything at all? |
31 |
> > |
32 |
> > Thanks. |
33 |
> > |
34 |
> |
35 |
> I would recommend using nothing. From what little I understand about |
36 |
> security-related stuff, SELinux constrains the resources available to |
37 |
> programs (sockets, files, etc.) so vulnerabilities in various server |
38 |
> programs don't lead to an entire system being compromised. |
39 |
> |
40 |
> SELinux is the only one I've had a bit of experience with - I run CentOS |
41 |
> (SELinux is enabled by default) for some personal-use-only services that |
42 |
> I want to run without dealing with Gentoo. My first step in a CentOS |
43 |
> install is to disable SELinux (and the firewall, hehe) to avoid dealing |
44 |
> with the pain of wading through documentation for hours on end. |
45 |
> |
46 |
> The one use case that seems pretty interesting for personal use is |
47 |
> something I know for sure Ubuntu does - an AppArmor profile for all of |
48 |
> the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of |
49 |
> the same things as SELinux, and the browser profiles guard against rogue |
50 |
> JavaScript from doing bad things. |
51 |
> |
52 |
> If I got anything wrong security-wise, I'm sorry, and hopefully someone |
53 |
> corrects it quickly. |
54 |
> |
55 |
> Hope this helps, |
56 |
> |
57 |
> Alec |
58 |
> |
59 |
> |
60 |
Understood. Thanks. |