[LEDE-DEV] running stuff as !root

David Lang david at lang.hm
Wed May 18 02:10:25 PDT 2016


On Wed, 18 May 2016, Ferry Huberts wrote:

> On 18/05/16 10:03, David Lang wrote:
>> On Wed, 18 May 2016, John Crispin wrote:
>> 
>>> On 18/05/2016 09:46, Ferry Huberts wrote:
>>>> 
>>>> 
>>>> already in-place in Fedora and RedHat/CentOS.
>>>> 
>>>> You then get even stronger protection and run-time performance impact is
>>>> negligible.
>>>> 
>>> the stuff i proposed has not runtime hit. selinux is simple to full
>
> SELinux's hit is for all intents and purposes zero as well nowadays.
>
>>> blown and hard to maintain. the idea would be to create a custom
>>> tailored solution for our requirements.
>> 
>> That is why I prefer AppArmor, you don't have the interaction between
>> different application configs that you do with SELinux, so you can focus
>> on the specific application that you are concerned about.
>
> AppArmor is significantly less secure than SELinux.
> And with SELinux you don't need all the preloading stuff that was talked 
> about, you can just declare which ports are allowed.

tightly configured in expert hands, you are right. However, that's not the 
normal user of LEDE/OpenWRT. For what (little) it's worth, I'll point out that 
if home users are familar with Linux, the odds are good that it's a flavor of 
Ubuntu that uses AA rather than Fedora that uses SELinux. (not worth much 
because the home user probably hasn't touched AA or SELinux)

do all the compressed filesystems support the tagging needed by SELinux? what 
about external drives with FAT* or NTFS?

How do you handle the possible need to re-label your files on a read-only 
filesystem?

what is the difference in kernel size (and tool size) between AA and SELinux?

David Lang



More information about the Lede-dev mailing list