5 Aug 2010 zanee   » (Journeyer)

Selinux is not for desktop usage

Ok, let me state emphatically. Selinux[1] is probably the most secure environment and system that you can get for free. It's emphasis is on a RBAC model which is different to lets say OpenBSD security through code approach. Anyway, I don't have time to get into a lengthy post about all of this right now because my brain is tracking on something else except to say that I don't believe Selinux is useful on consumer grade desktop systems.

In tight-security corporate roll out environments or secure military facilities or some such; it  only makes sense on the desktop there. However i'm speaking about RUN-OF-THE-MILL machines. So you're desktop at home? It's retarded to have Selinux there because a run-of-the-mill machine is constantly changing needs and is general purpose. Writing new policy for every new thing you plan to do is a little silly. Especially because that policy will probably be insecure ANYWAY and it takes time to vet.

So Fedora with Selinux? Dumb. Ubuntu user distro with Selinux? Dumb. Etc user distro linux? Dumb. You get the idea. If you want a secure desktop, turn on a firewall and flip on encryption of your most sacred files. Apple has Filevault which is implemented extremely poorly even though I use it, obviously if you are using Unix then you are aware of your options etc.

[1]: http://www.nsa.gov/research/selinux/


Syndicated 2010-08-05 13:57:07 from Christopher Warner » Advogato

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!