You are not wrong but also not right, it's something different.
For example FreeBSD has a MAC framework (a massive one btw) and also the "SELinux/SEBSD" framework on top of it (FLASK/TE), but you don't need to use it (not on Linux nor on FBSD).
OpenBSD has no MAC implementation, and with that no framework (SE*) on top of it, but has different/other way's to secure a system.
And TBH i have seen just 3 Customers until now who really develop highly secure/complicated policies (Two use MLS and one uses Brewer-Nash)
I think MAC should be used much more, but it's time intensive and hard to do it right, also to keep the policies clean and understandable need's LOTS of documentation and dedication.
What massive MAC framework does FreeBSD has? Last I heard SELinux was attempting to be ported (SEBSD) but that was never finished?
The 'different/other/ ways to secure the system are inferior since they offer no protection if root is compromised.
I don't think MAC is as hard to use as it was, there are so many policies and issues known this much later, but people still just disable it by default because they don't want to put in the time.
That's NOT what i said, the FreeBSD MAC implementation is big and pretty much feature complete, NOT SEBSD.
>The 'different/other/ ways to secure the system are inferior since they offer no protection if root is compromised.
There is no such thing as "inferior" but different approaches, from completely deleting root as a user to using Container/Jail/Zones, Sandbox's, VM's etc. MAC is one of just many methods and OpenBSD voted against it and went another route (and that is totally fine and understandable).
>I don't think MAC is as hard to use as it was
MAC is still very hard, you are talking about SELinux that is just one implementation called FLASK/TE.
Try to implement Brewer-Nash MAC-policy on a Fileserver and i will see you sweating ;)
But as you can see, there is you and me (in this thread) who understand what a MAC even is, and that on HN....that just tells you how many people really have even a understanding what it even is.
> That's NOT what i said, the FreeBSD MAC implementation is big and pretty much feature complete, NOT SEBSD.
It is what you said. I never said you claimed SEBSD.
You said FreeBSD has a massive MAC framework. I was asking which one, and the only one I know of is SEBSD, which is not at all massive.
You are saying now FreeBSD has its own MAC framework, but I've never heard of it. What is it called?
> There is no such thing as "inferior" but different approaches,
Well that's not true. A screen door vs a heavy deadbolted door is clearly an inferior approach, not just a different approach to security, and that analogy extends to OS security technologies.
MAC is the only system that can 100% protect against an attacker getting remote root.
> There is no such thing as "inferior" but different approaches,
I've been dealing with MAC for 20 years, so I don't find it hard at all, and if people are willing to put in the effort to learn it the reward is worth it. But this is a world where most people want to get home to watch their latest story instead of doing any kind of mental work, and admins are no different.
This is frustrating. I don't know why you are trying to explain things when the issue is you simply were not clear with your first comment, and then acted like I misquoted you.
> SEBSE is a Framework, MAC is an implementation, those are two different things on different levels.
This is incredibly wrong unless you are referring to something other than mandatory access controls when you say MAC.
MAC is a concept. SELinux AND SEBSD are implementations. And yes, you can say they are implementations of FLASK, or call them frameworks, but semantics aside none of that changes that SELinux and SEBSD are implementations of a concept.
Saying MAC is an implementation is just flat out wrong.
And for what it's worth, I was correct when I said it was SEBSD, even though it isn't called that anymore. That's what the project started off as before it was merged: http://www.trustedbsd.org/sebsd.html
> Yeah no you don't since you don't even know the difference of SELinux and the/a MAC implementation.
>Linux Security Modules (LSM) is a framework allowing the Linux kernel to support without bias a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.
I have no idea why you think linking that proves some kind of point, it only proves to me that as I said you are very much out of your depth in joining this conversation.
We've banned this account for breaking the site guidelines badly and repeatedly in this thread, and for ignoring our many requests to stop doing that.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
For example FreeBSD has a MAC framework (a massive one btw) and also the "SELinux/SEBSD" framework on top of it (FLASK/TE), but you don't need to use it (not on Linux nor on FBSD).
OpenBSD has no MAC implementation, and with that no framework (SE*) on top of it, but has different/other way's to secure a system.
And TBH i have seen just 3 Customers until now who really develop highly secure/complicated policies (Two use MLS and one uses Brewer-Nash)
I think MAC should be used much more, but it's time intensive and hard to do it right, also to keep the policies clean and understandable need's LOTS of documentation and dedication.
https://www.diva-portal.org/smash/get/diva2:5365/FULLTEXT01.... (2006)
https://hardenedbsd.org/content/easy-feature-comparison