Re: OBSD's perspective on SELinux

[Ihar Hrachyshka]

2007/9/22, Joachim Schipper <[EMAIL PROTECTED]>:
> The OpenBSD developers are trying to make the most secure UNIX system
> they can; SELinux might or might not be secure, but it's not UNIX.
What part of SELinux is NOT Unix? Remember that all traditional Unix
rwx permissions are still there.
>
> Additionally, it's not entirely clear whether it actually helps;
For example for blocking some critical operations for ALL users, even
root. Of course, that's the case when strict traditional
Unix-awareness is not so critical as the security of the system by
itself.
> SELinux configuration is, even at its best, a lot more complex than the
> equivalent UNIX-ish configuration. Thus, it becomes more likely that
> there will be either configuration or coding errors.
Every security feature, every OS improvement IS an additional code.
That's the problem of proper kernel and security policies audit, not
SELinux as an idea.
>
>                 Joachim
>
> --
> TFMotD: kadmin (8) - Kerberos administration utility