In days of yore (Tue, 02 Apr 2024), Colin Watson thus quoth: > TCP wrappers > ============
Not used hosts.{allow,deny} for the last 17 years (since I started my current employment) so I am biased. Honest opinion is that firewall and fail2ban have pretty much obsoleted TCP wrappers. > SELinux > ======= > > For the time being my inclination is to leave this be, but I've seen the > suggestion that pam_selinux is basically all you need > (https://infosec.exchange/@alwayscurious/112192949171400643), so maybe > it would be an option to drop --with-selinux in favour of that? I've > never used SELinux, so I'd need an expert to weigh on here. If you need an expert on SELinux, you need Dan Walsh. I have used SELinux for the last 17 years, from when it was a monolithic policy to what it is like today in RHEL. SELinux is - as far as I know - not an issue and have a fail-close rather than fail-open approach. IMHO, if it is not used and you have the time to spare to drop it, do, otherwise it should be safe with the status-quo on this. And should Debian pick SELinux up fully and enable a targeted policy, well, you will want this anyway. -- Kind regards, /S