| 1 |
Context for my replies - I only use Gentoo in a personal setting. |
| 2 |
|
| 3 |
On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: |
| 4 |
> I was wondering if there was any harm in disabling the NSA SELinux |
| 5 |
> support in my gentoo-sources based kernel. |
| 6 |
|
| 7 |
I've never had SELinux enabled in my gentoo kernels. |
| 8 |
|
| 9 |
> |
| 10 |
> The kernel config help for the NSA SELinux options suggests that |
| 11 |
> having them enabled is optional. |
| 12 |
|
| 13 |
Yup, totally is. |
| 14 |
|
| 15 |
> |
| 16 |
> If I understand it correctly, having these options on in the kernel |
| 17 |
> config alone does not imply that my system is using NSA SELinux. |
| 18 |
> According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch |
| 19 |
> of other things needs to be taken care of to have SELinux on. |
| 20 |
|
| 21 |
That's correct - I don't know what software/config one needs, but |
| 22 |
SELinux is enabled/disabled/configured in userspace. |
| 23 |
|
| 24 |
> |
| 25 |
> Is SElinux something that the folk here would recommend using on a |
| 26 |
> personal, rather than a production system? Or would you recommend |
| 27 |
> using something else, if anything at all? |
| 28 |
> |
| 29 |
> Thanks. |
| 30 |
> |
| 31 |
|
| 32 |
I would recommend using nothing. From what little I understand about |
| 33 |
security-related stuff, SELinux constrains the resources available to |
| 34 |
programs (sockets, files, etc.) so vulnerabilities in various server |
| 35 |
programs don't lead to an entire system being compromised. |
| 36 |
|
| 37 |
SELinux is the only one I've had a bit of experience with - I run CentOS |
| 38 |
(SELinux is enabled by default) for some personal-use-only services that |
| 39 |
I want to run without dealing with Gentoo. My first step in a CentOS |
| 40 |
install is to disable SELinux (and the firewall, hehe) to avoid dealing |
| 41 |
with the pain of wading through documentation for hours on end. |
| 42 |
|
| 43 |
The one use case that seems pretty interesting for personal use is |
| 44 |
something I know for sure Ubuntu does - an AppArmor profile for all of |
| 45 |
the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of |
| 46 |
the same things as SELinux, and the browser profiles guard against rogue |
| 47 |
JavaScript from doing bad things. |
| 48 |
|
| 49 |
If I got anything wrong security-wise, I'm sorry, and hopefully someone |
| 50 |
corrects it quickly. |
| 51 |
|
| 52 |
Hope this helps, |
| 53 |
|
| 54 |
Alec |
Archives