[CentOS] SELinux - way of the future or good idea but !!!

Thu Dec 9 15:39:00 UTC 2010
Tom H <tomh0665 at gmail.com>

On Wed, Dec 8, 2010 at 11:10 AM, Les Mikesell <lesmikesell at gmail.com> wrote:
> On 12/8/2010 4:04 AM, David Sommerseth wrote:


>> iptables is a de-facto standard on all Linux distributions nowadays.  It
>> is not ratified by ISO, IETF or similar ... but how does that make the
>> real life scenario any different?  That's just a piece of paper.
>> iptables works, and so does SELinux - when you learn how to use it.
>
> The real life situation is that iptables only works on linux and the way
> it works is distribution-dependent.  So what you learn may lock you into
> a platform that may not always be your best choice.

iptables rules are distribution-independent. Different distributions
dump the iptables control and config files in different locations...


>> SELinux came as a result that someone found weaknesses and wanted to try
>> avoid security issues. Just like when firewalls began to become so
>> popular 20-30 years ago or so.  There was a need to improve something,
>> and someone did the job.  Nobody cared much about firewalls in the early
>> 80's.  Why?  Maybe because nobody thought anyone would abuse or misuse
>> the network infrastructure?
>
> Does that mean you would not be comfortable moving your applications to
> SUSE, Solaris, OS X, Windows, etc.?  I don't want that kind of lock-in.

SUSE has apparmor (which it considers equivalent/superior) but you
probably can install selinux on it (you can on Ubuntu and Debian).

Solaris has Trusted Extensions for MAC and RBAC.

OS X has a Macified version of TrustedBSD.

Windows has UAC.

(In the same way that the last three have their own firewall apps!)