@sjvn SELinux installation of just 'setools' takes over 1/2 GB on debian. These addtional package bring their own risks. Like using a sledge hammer to kill a fly and damn the destruction from the hammer.
@nickserv SELinux is when you really, really need to lock a system down. On those occasions, you need a sledge hammer. For most of the rest of the time, I recommend AppArmor.
@sjvn oh, I did run SELinux for a while, wasn't a smooth experience, but then the other options ain't much simpler to use and breaks things as easily as SELinux. I wish there was something that was easy to administrate for us at home.
@sjvn sure it is simpler, just I have run into some issues with apparmor and dovecot at some times. I have looked a bit on Tomoyo too, but not as generally used as apparmor, so not much predefined for you.
I kind of wish I could just tell the security module take a look at his binary and then that one gets everything it needs allowed, but static analysis of binaries not part of the security module so I keep on dreaming...
@sjvn my current setup don't use system users as all the mail users are virtual ones.
My main issue has been that the distro I been using has used the default example dovecot apparmor config for dovecot, which has completely different paths than the dovecot that is installed by the distro and there was some other minor issues. It's just that each time I done an upgrade of apparmor the dovecot config been overwritten and then I have to dig my changes from a snapshot and restore those
Add comment