On Sat, 22 Sep 2007, Douglas A. Tutty wrote: > Hello all, > > I'm running OBSD on my older boxes but still Debian on my big box (not > ready yet). > > Linux has SELinux in its 2.6 kernel and debian has gone ahead and > compiled SELinux into the libraries, although the SELinux policies > aren't ready on debian yet. The whole focus seems to be to make Linux > "more secure". I'm not sure what to make of it. I figure that if you > want secure, you switch to OBSD. > > Could someone who knows both the details of OBSDs security enhancements > and the details of SELinux comment?
In terms of mandatory access controls, OpenBSD only has systrace. Every medium to large Linux deployment that I am aware off has switched SELinux off. Once you stray from the default configurations that the system distributors ship with the default policies no longer work and things start to break. In my admittedly limited experience, this happens very quickly. If the policy language was halfway sane then this wouldn't be so bad - a skilled administrator could adjust the policy. Unfortunately: 1) skilled administrators are hard to come by, and their time is usually better spent *not* tweaking brittle mandatory access control policies 2) the SELinux policy language is nowhere near sane. OpenBSD's systrace suffers from #1 - it is a generic problem with these sorts of access control mechanisms, and it is one reason why it has never been enabled by default. The brittleness is a real problem - I use systrace for a few things and often need to update my policies because of software upgrades or libc changes. Oh, and "skilled administrator" means someone deeply familiar with the Unix system interface - not a just a graduate of certification course de jour. The Linux solution to #2 seems to be to add various wizards and other abstraction between the administrator and the policy, rather than tossing the horrid mess and replacing it with something more comprehensible. I'm sure you could use SELinux to improve the security of a system but it would require quite a bit of time and effort, both initial and ongoing. -d
