On 9/23/07, Jason Dixon <[EMAIL PROTECTED]> wrote: > On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote: > > > On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: > >> Linux has SELinux in its 2.6 kernel and debian has gone ahead and > >> compiled SELinux into the libraries, although the SELinux policies > >> aren't ready on debian yet. The whole focus seems to be to make > >> Linux > >> "more secure". I'm not sure what to make of it. I figure that if > >> you > >> want secure, you switch to OBSD. > >> > >> Could someone who knows both the details of OBSDs security > >> enhancements > >> and the details of SELinux comment? > > > > I don't know all the details, and especially not the SELinux details, > > but that won't stop me from commenting. > > > > Not long ago I was talking with a Linux person about security, and > > they > > pointed me to a set of patches that did a lot of nifty stuff. Good > > stuff, like the things you find OpenBSD doing. But it's not in the > > mainline kernel, it's a set of patches. > > > > Security should not be grafted on, it should be integrated into the > > main development process.
yes you're right. Although that point no longer holds. SELinux is more or less "official" now. But for a looong (long) time, it was pretty apparent what the focus of the developers was *not* on.... And even now so.... (IMO) > > I'm sure the patch maintainers are doing > > their > > best, but this doesn't change the fundamental flaw in the process. > > It's > > not a flaw of their making, it's inherent in the situation. But it's > > still a flaw. > > > > Compare that to a complete operating system (OpenBSD) where > > security is part of > > code quality, and part of the normal mainline development. > > If I could add one thing to Darrin's comment (of which I agree > completely), it would be this: > > SELinux is a button. Buttons are easy to turn off. > button, yes. The scary (or "interesting", depending on how you see it) bit is that there is a whole infrastructure (LKM) behind it making it easy(?) to create, and plug in your own buttons to do your own funky stuff... -jf -- In the meantime, here is your PSA: "It's so hard to write a graphics driver that open-sourcing it would not help." -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228