REDPILL ME ON SELINUX
IS IT THE MOST SECURE LINUX EVER?
pic unrelated
>>60330671
>MOST SECURE
*as long as offline
>>60330996
t. cia nigger
>>60331314
mi6 nigger
>>60331333
nice script nsa
>>60330671
Yes totally secure, mossad aproved
>>60330671
Selinux was created by the NSA, so do the math.
selinux stops retards doing retarded things. It literally protects the system from stupid users. It's great and should be default enforcing on every Linux distribution.
>>60330671
Use Qubes instead.
>>60330671
yes, it is the SECUREST
>>60330996
it's just an acl
>>60330671
It's a defense-in-depth thing. By itself it won't save you from much. (and it WILL cause something or other to mysteriously fail until you think to check if its SELinux doing it...) Its value is in limiting the damage an attacker can do after they've made the initial break.
>>60334727
so why are they satisfied with this?
why don't they do full kernel hardening like grsecurity does?
it'd be really nice seeing as how the latter is now only available for subscribers
>>60330671
Use AppArmor instead.
>>60334841
Some of the grsec stuff has gone upstream, and some more is in the pipeline (eg, more kernel mode ASLR) Some other stuff will never be upstream because its ugly, hackish, and difficult to maintain, and/or it violates Linus's rule of "never break userspace". (Linus said as much in a mailing-list post at some point, go look it up if you like)
Also note that SELinux and grsec are different beasts. SELinux is MAC. Essentially a turbocharged permissions and user/group system, the idea being that processes should have least-privilege way beyond what you can do with ordinary user permissions. (one example I ran into was that it won't let OpenVPN use certificates unless those certificates are where it expects them to be.) Grsec is all about making the exploit harder to attain in the first place by bolting things down in kernel code - like the aforementioned ASLR.