| 1 |
On Thu, Jan 1, 2015 at 7:25 PM, Alec Ten Harmsel <alec@××××××××××××××.com> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> Context for my replies - I only use Gentoo in a personal setting. |
| 5 |
> |
| 6 |
> On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: |
| 7 |
> > I was wondering if there was any harm in disabling the NSA SELinux |
| 8 |
> > support in my gentoo-sources based kernel. |
| 9 |
> |
| 10 |
> I've never had SELinux enabled in my gentoo kernels. |
| 11 |
> |
| 12 |
> > |
| 13 |
> > The kernel config help for the NSA SELinux options suggests that |
| 14 |
> > having them enabled is optional. |
| 15 |
> |
| 16 |
> Yup, totally is. |
| 17 |
> |
| 18 |
> > |
| 19 |
> > If I understand it correctly, having these options on in the kernel |
| 20 |
> > config alone does not imply that my system is using NSA SELinux. |
| 21 |
> > According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch |
| 22 |
> > of other things needs to be taken care of to have SELinux on. |
| 23 |
> |
| 24 |
> That's correct - I don't know what software/config one needs, but |
| 25 |
> SELinux is enabled/disabled/configured in userspace. |
| 26 |
> |
| 27 |
> > |
| 28 |
> > Is SElinux something that the folk here would recommend using on a |
| 29 |
> > personal, rather than a production system? Or would you recommend |
| 30 |
> > using something else, if anything at all? |
| 31 |
> > |
| 32 |
> > Thanks. |
| 33 |
> > |
| 34 |
> |
| 35 |
> I would recommend using nothing. From what little I understand about |
| 36 |
> security-related stuff, SELinux constrains the resources available to |
| 37 |
> programs (sockets, files, etc.) so vulnerabilities in various server |
| 38 |
> programs don't lead to an entire system being compromised. |
| 39 |
> |
| 40 |
> SELinux is the only one I've had a bit of experience with - I run CentOS |
| 41 |
> (SELinux is enabled by default) for some personal-use-only services that |
| 42 |
> I want to run without dealing with Gentoo. My first step in a CentOS |
| 43 |
> install is to disable SELinux (and the firewall, hehe) to avoid dealing |
| 44 |
> with the pain of wading through documentation for hours on end. |
| 45 |
> |
| 46 |
> The one use case that seems pretty interesting for personal use is |
| 47 |
> something I know for sure Ubuntu does - an AppArmor profile for all of |
| 48 |
> the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of |
| 49 |
> the same things as SELinux, and the browser profiles guard against rogue |
| 50 |
> JavaScript from doing bad things. |
| 51 |
> |
| 52 |
> If I got anything wrong security-wise, I'm sorry, and hopefully someone |
| 53 |
> corrects it quickly. |
| 54 |
> |
| 55 |
> Hope this helps, |
| 56 |
> |
| 57 |
> Alec |
| 58 |
> |
| 59 |
> |
| 60 |
Understood. Thanks. |
Archives