Thread replies: 20
Thread images: 2
Thread images: 2
File: selinux-penguin-new_sized.jpg (44KB, 650x400px) Image search:
[Google]
44KB, 650x400px
Why aren't you using SELinux?
>>
I am on my home server. It's too much of a pain in the ass for desktop use, though.
>>
NSA honeypot.
>>
Overkill for desktop. I just use Firejail instead, although even that is probably overkill when using GNU/Linux.
>>
>>61726273
>centos is too hard to use :'(((
>>
>>61726295
I DO use centos on my home server. I actually need up-to-date packages and kernels on my desktop, so I use Arch.
>>
>>61726285
Just stop.
>>
>>61726325
Have proves it isn't? How can you trust software developed by NSA and/or by it's partners (Red Hat).
>>
>>61726337
Open source?
Reviewed code?
PhD grade papers on SELinux?
If the NSA wanted to install a backdoor, you think they would say "here you go guys, we made this OS, enjoy it"
That's the worst way of doing it. They would not incriminate themselves like that, they would setup virtual people to take the fall for it.
There's a lot more on this, but rest assured, SELinux is safe.
>>
File: considerthefollowing.png (72KB, 449x311px) Image search:
[Google]
72KB, 449x311px
>>61726363
Hidden code within the code which is read using hidden code hidden within intel cpu's
>>
>>61726405
The first thing to understand is that SELinux is implemented using the Linux Security Module(LSM) Framework. The LSM framework up until very recently has been used to provide futher restrictions on the system above what is already provided through the discretionary access control (DAC) system. The DAC system is your ACLs, UID/GID, and permission bits. The idea behind LSM is that there was a need to provide access restrictions above and beyond what is represented in DAC. So premise number 1 is that LSMs can/should only further restrict permissions and unless something is wrong with the hook placement in the kernel that should be the case.
The reason this is the case is because of the way access checks are made in the kernel. In order for any permission to be granted it must initially pass the DAC access control check. Often people complain about SELinux problems yet see no AVC denials because they aren't even passing the DAC check to begin with. So this means SELinux will should never grant you the ability to do something your user couldn't already do. SELinux should only then take what your user is authorized to do and further restrict it. SELinux doesn't use user authorization to determine access to resources. It bases its decisions on security labels assigned to processes and resources in the system and then matches it against a set of rules in the security policy. If you look at kernel code you will see the dac check performed first followed by a call to a security_* function. The security_* functions are the api for the LSM framework and under the hood each module implements their own versions of the hooks.
>>
>>61726363
>Open Source
Who sacrificed their time to review the code?
>Reviewed code
Was it? By who?
>PhD grade papers on SELinux
Means nothing about it not being a honeypot.
>If NSA wanted to install backdoor they surely wouldn't compromise themselves!
Oh really?
NSA asked Linus to implement backdoor to kernel.
NSA knew about heartbleed all the time and did nothing to fix it.
Now, think about it, SELinux is open source, what if... NSA has 2 copies of it..? One for plebs who're trying to avoid them with backdoors in it and another, patched one, which is used by NSA..?
I know, mindblowing...
>>
>>61726445
Nice pasta. Also see here >>61726497 Especially the last paragraph.
>>
>>61726265
I do on my VDS.
>>
>>61726497
ok so whats the most secure OS?
>>
>>61726529
There are none, every OS has security problems. Bugs happen, someone "not associated with NSA" might push a patch to open source project with non obvious "bug". (see: heartbleed)
Best thing you can do: reduce attack vector to minimum.
>>
>>61726571
I meant
>...non obviously breaking security with a "bug"
>>
>>61726363
>SELinux is safe
nice try nsa
>>
>>61726571
>reduce attack vector to minimum
So... install Gentoo?
>>
>>61726682
Good start. Don't use Red Hat software, basically.
Still, you can't be sure with other open source projects (not saying closed source is better).
It's non realistic and inpractical to review all the code.
My point with SELinux was: I'm not saying it's not making OS secure. BUT you have to trust NSA. Do you? With all the leaks made by Snowden.
It's same with using VPN. For maximum security you MUST assume every VPN has logs despite what they're saying, because you can't prove otherwise.
Same with SELinux, unless you reviewed source code and you're competent enough to understand it all. Although, a bug can slip through one's eye, more people reviewes it, the better.
There is an interesting talk made in 2014 FOSDEM I suggest you to watch: https://youtu.be/fwcl17Q0bpk
Thread posts: 20
Thread images: 2
Thread images: 2