[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: Debian openssh option review: considering splitting out GSS-API key exchange
From:       Sirius <sirius () trudheim ! com>
Date:       2024-04-02 3:10:17
Message-ID: Zgt3GW734MPiZOMU () acer ! trudheim ! com
[Download RAW message or body]

In days of yore (Tue, 02 Apr 2024), Colin Watson thus quoth: 
> TCP wrappers
> ============

Not used hosts.{allow,deny} for the last 17 years (since I started my
current employment) so I am biased. Honest opinion is that firewall and
fail2ban have pretty much obsoleted TCP wrappers.

> SELinux
> =======
> 
> For the time being my inclination is to leave this be, but I've seen the
> suggestion that pam_selinux is basically all you need
> (https://infosec.exchange/@alwayscurious/112192949171400643), so maybe
> it would be an option to drop --with-selinux in favour of that?  I've
> never used SELinux, so I'd need an expert to weigh on here.

If you need an expert on SELinux, you need Dan Walsh.

I have used SELinux for the last 17 years, from when it was a monolithic
policy to what it is like today in RHEL. SELinux is - as far as I know -
not an issue and have a fail-close rather than fail-open approach. IMHO,
if it is not used and you have the time to spare to drop it, do, otherwise
it should be safe with the status-quo on this.

And should Debian pick SELinux up fully and enable a targeted policy,
well, you will want this anyway.

-- 
Kind regards,

/S

[prev in list] [next in list] [prev in thread] [next in thread]