On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote: > OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient, > compact OS done by folks you can trust and actually talk to, use OBSD; if > you want 'fairly secure Linux' [which has had thousands of hand in it > including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***. > Simple and easy to implement, even by less senior Admins.
Can you say "root can only run this and that application when su'ed from that guy, and may not open any net connection, but open this file and none else" in OpenBSD? If so, how can I do it? :) > SELinux is **NOT** ready for primetime, unless it's changed tremenduously > in the past couple of years. Last time we tried it, management was totally > arcane and the machines would lock up on a regular (monthly) basis. It > wasn't worth the time to troubleshoot so we went with AppArmor for that > application. A couple of years is a long time, in terms of software, so I'd expect such instabilities, if SELinux is the culprit, to be fixed. But I won't deny it's learning curve is extremely steep. So steep indeed that most of the time it's easier to have carefully laid out standard unix permissions associated with sudo and specific users for specific software. The *need* for things like SELinux exists in some niche markets where higher levels of security are necessary. Remember: OpenBSD still doesn't have a digitally signed code distribution, and in some places that means it can't enter! Stupid, I know, but not too stupid for the "blame game" rules, which sort of ignore the "secure by design" initiatives. Rui -- All Hail Discordia! Today is Sweetmorn, the 47th day of Bureaucracy in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
