On Sat, Sep 22, 2007 at 11:50:08AM -0700, Ted Unangst wrote: > On 9/22/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > > Linux has SELinux in its 2.6 kernel and debian has gone ahead and > > compiled SELinux into the libraries, although the SELinux policies > > aren't ready on debian yet. > > rhetorical question: why aren't the policies ready? > > the problem with security by policy is that the policy is always wrong. > > exercise for the reader: find somebody using SELinux. ask them to > describe their policy over the phone. then repeat it back to them. > did you get it right?
I only know (via the mailing list) people running Debian. Debian comes with the SELinux patches compiled into the libraries and kernel but the SELinux policies haven't been integrated into the "Debian way of doing things yet". In other words, since debian packages, by policy, must "just work" on install (come with a reasonable default setup), (except for a few things like the Shorewall firewall builder that installs to a disabled state that prints a warning), once Debian decides on a SELinux policy, all the thousands of packages have to be set up to detect the SELinux policy on the box at the time and integrate themselves into it. That's the limit to what I know about it. It sounds like solving the opening of a can of worms by dumping it into a vermiculture pot. Anyway, thanks for the discussion. For security I'll stick with OBSD. For watching movies, I'll stick with Debian until someone builds a video card that doesn't need a blob driver to run the hardware converter. Doug.
