Star Ubuntu Gets SELinux
Linked by Thom Holwerda on Wed 19th Mar 2008 22:58 UTC, submitted by diegocg
Ubuntu, Kubuntu, Xubuntu It's official: SELinux is now available in the Ubuntu development ('Hardy Heron') distribution. "This is the result of the amazing work of the ubuntu-security and ubuntu-hardened teams, as well as the huge contributions from the folks at Tresys (SELinux will not be the default, but is available as a security option)." In other news, Sun has started offering Ubuntu as an option.
E-mail Print r 3   31 Comment(s) http://osne.ws/f1e
Thread beginning with comment 305808
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Debian already has this?
by sbergman27 on Thu 20th Mar 2008 11:24 UTC in reply to "Debian already has this?"
sbergman27
Member since:
2005-07-24

I'd just automatically disable it during install on the later releases, so I'm not really qualified to say if it's still getting in the way on anything newer than Fedora 6.


Even "disabled", it's still impacting performance unless you manually add "selinux=0" to your kernel boot string. SELinux is kind of like lice. Once your machine is infested, it's very difficult to really get rid of it.

Reply Parent Bookmark Score: 4

RE[2]: Debian already has this?
by h3rman on Thu 20th Mar 2008 11:34 in reply to "RE: Debian already has this?"
h3rman Member since:
2006-08-09

Even "disabled", it's still impacting performance unless you manually add "selinux=0" to your kernel boot string. SELinux is kind of like lice. Once your machine is infested, it's very difficult to really get rid of it.


I sense a little dichotomy here. If it's as simple as adding selinux=0 to your kernel boot string, where's the "very difficult" bit?
Not a rhetorical question, I frankly have no idea of kernel level SELinux mechanisms.

Reply Parent Bookmark Score: 2

sbergman27 Member since:
2005-07-24

If it's as simple as adding selinux=0 to your kernel boot string, where's the "very difficult" bit?


The "difficult" bit (perhaps "tricky" might have been a better term) is knowing that you can't just disable it and have it really be out of the way. "Disabling" SELinux during the install, or afterward, merely causes it not to load a policy. I imagine that most people who think they have it disabled really don't, not realizing that you have to manually edit grub.conf to add the right string after every kernel upgrade to avoid the "SELinux tax" on performance.

Edited 2008-03-20 12:16 UTC

Reply Parent Bookmark Score: 2

Read more of this thread... >
RE[2]: Debian already has this?
by Crono on Thu 20th Mar 2008 16:28 in reply to "RE: Debian already has this?"
Crono Member since:
2006-11-08

Even "disabled", it's still impacting performance unless you manually add "selinux=0" to your kernel boot string.


Do you have a source for that?
My Google-fu failed me - I just find information about the performance loss when actually using it.

Reply Parent Bookmark Score: 1

sbergman27 Member since:
2005-07-24

Do you have a source for that?

As I recall it is in the FC5 SELinux FAQ.

Reply Parent Bookmark Score: 2

Read more of this thread... >