Appropriate MAC for Arch on home computer?

lovyagin · 2015-02-02 16:20:29

Since I'm looking forward to switching from Fedora to Arch, I wonder about Mandatory Access Control in Arch.

On the wiki four different MACs are mentioned, AppArmor, Tomoyo, Grsecurity and SELinux. However looks like all of them are disabled in default kernel (both linux & linux-lts) and only grsecurity is enabled in pre-build kernel linux-grsec.

Building custom kernel takes significant time each upgrade, SELinux requires to build a lot of packages from source also. Grsecurity kernel looks like hibernation-incompatible and may cause problems with third-party drivers (vboxhost, nvidia, etc). So I need a MAC that

(1) doesn't require significant packages to be compiled from source each update, especially kernel (even localconfig may need 30-60 minutes or more on a slow netbook),
(2) support hibernation and everything that normally home computer can.
(3) support for all modern kernel modules.

Looks like there is no such kind of a MAC in Arch. Why?

And is using of a MAC really important for home computer at all? How risky to left system "as is" in case of attacks from local (ISP) network, unwise web browsing by inexperienced user, etc?

Trilby · 2015-02-02 16:34:30

You may want to look into some unofficial user repositories. There are many for alternative kernel configurations. Specifically clfarron4 maintains a few that include the patches necessary for some of these (e.g. ck-pax - but I'm pretty much clueless on this, so I don't know if that specific example would be a good way to go).

clfarron4 · 2015-02-02 16:38:52

lovyagin wrote:

Looks like there is no such kind of a MAC in Arch. Why?

There was a great long discussion about this in the mailing lists, so I'll point you there.

lovyagin wrote:

(1) doesn't require significant packages to be compiled from source each update, especially kernel (even localconfig may need 30-60 minutes or more on a slow netbook),
(2) support hibernation and everything that normally home computer can.
(3) support for all modern kernel modules.

I don't know. Unless someone is willing to compile the packages for you, there's only really grsecurity in [core]. I certainly have the space in my repository to host them, but I'd rather ask the package maintainer whether they're fine about my hosting pre-built versions and then there's the number of packages I already host...

Well, there is linux-ck-pax, which I provide ~~(ninja'd by Trilby XD)~~, but that's not a full MAC system (it's a big part of grsecurity, but grsecurity is a MAC system). It's more system to provide least privilege protections patched with CK to try and get some more performance.

Iovyagin wrote:

And is using of a MAC really important for home computer at all? How risky to left system "as is" in case of attacks from local (ISP) network, unwise web browsing by inexperienced user, etc?

It's all well and good having the MAC there, but if you don't configure it, well then I don't see any advantages. As for the other bits, well you've got your Firewalls and Responsible Browsing speeches.

EDIT: I had a look through the configs for linux-lts31{0/2}, and those still have TOMOYO and APPARMOR enabled, but those are older LTS kernels, which may/may not be so good.

Last edited by clfarron4 (2015-02-02 16:45:58)

lovyagin · 2015-02-03 13:51:52

Thanks a lot for the information.

As far as I can see it's better to have a MAC but there is no chance to see any officially pre-build solution in a foreseeable future...

So, what about configuration? Does it mean that default configuration like SELinux targeted policy in Fedora or default configuration of AppArmor in Ubuntu doesn't give any advantages in fact?

Arch Linux

#1 2015-02-02 16:20:29

Appropriate MAC for Arch on home computer?

#2 2015-02-02 16:34:30

Re: Appropriate MAC for Arch on home computer?

#3 2015-02-02 16:38:52

Re: Appropriate MAC for Arch on home computer?

#4 2015-02-03 13:51:52

Re: Appropriate MAC for Arch on home computer?

Board footer