1 |
Context for my replies - I only use Gentoo in a personal setting. |
2 |
|
3 |
On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: |
4 |
> I was wondering if there was any harm in disabling the NSA SELinux |
5 |
> support in my gentoo-sources based kernel. |
6 |
|
7 |
I've never had SELinux enabled in my gentoo kernels. |
8 |
|
9 |
> |
10 |
> The kernel config help for the NSA SELinux options suggests that |
11 |
> having them enabled is optional. |
12 |
|
13 |
Yup, totally is. |
14 |
|
15 |
> |
16 |
> If I understand it correctly, having these options on in the kernel |
17 |
> config alone does not imply that my system is using NSA SELinux. |
18 |
> According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch |
19 |
> of other things needs to be taken care of to have SELinux on. |
20 |
|
21 |
That's correct - I don't know what software/config one needs, but |
22 |
SELinux is enabled/disabled/configured in userspace. |
23 |
|
24 |
> |
25 |
> Is SElinux something that the folk here would recommend using on a |
26 |
> personal, rather than a production system? Or would you recommend |
27 |
> using something else, if anything at all? |
28 |
> |
29 |
> Thanks. |
30 |
> |
31 |
|
32 |
I would recommend using nothing. From what little I understand about |
33 |
security-related stuff, SELinux constrains the resources available to |
34 |
programs (sockets, files, etc.) so vulnerabilities in various server |
35 |
programs don't lead to an entire system being compromised. |
36 |
|
37 |
SELinux is the only one I've had a bit of experience with - I run CentOS |
38 |
(SELinux is enabled by default) for some personal-use-only services that |
39 |
I want to run without dealing with Gentoo. My first step in a CentOS |
40 |
install is to disable SELinux (and the firewall, hehe) to avoid dealing |
41 |
with the pain of wading through documentation for hours on end. |
42 |
|
43 |
The one use case that seems pretty interesting for personal use is |
44 |
something I know for sure Ubuntu does - an AppArmor profile for all of |
45 |
the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of |
46 |
the same things as SELinux, and the browser profiles guard against rogue |
47 |
JavaScript from doing bad things. |
48 |
|
49 |
If I got anything wrong security-wise, I'm sorry, and hopefully someone |
50 |
corrects it quickly. |
51 |
|
52 |
Hope this helps, |
53 |
|
54 |
Alec |