| >What massive MAC framework does FreeBSD has? That's NOT what i said, the FreeBSD MAC implementation is big and pretty much feature complete, NOT SEBSD. >The 'different/other/ ways to secure the system are inferior since they offer no protection if root is compromised. There is no such thing as "inferior" but different approaches, from completely deleting root as a user to using Container/Jail/Zones, Sandbox's, VM's etc. MAC is one of just many methods and OpenBSD voted against it and went another route (and that is totally fine and understandable). >I don't think MAC is as hard to use as it was MAC is still very hard, you are talking about SELinux that is just one implementation called FLASK/TE. Try to implement Brewer-Nash MAC-policy on a Fileserver and i will see you sweating ;) But as you can see, there is you and me (in this thread) who understand what a MAC even is, and that on HN....that just tells you how many people really have even a understanding what it even is. |
It is what you said. I never said you claimed SEBSD.
You said FreeBSD has a massive MAC framework. I was asking which one, and the only one I know of is SEBSD, which is not at all massive.
You are saying now FreeBSD has its own MAC framework, but I've never heard of it. What is it called?
> There is no such thing as "inferior" but different approaches,
Well that's not true. A screen door vs a heavy deadbolted door is clearly an inferior approach, not just a different approach to security, and that analogy extends to OS security technologies.
MAC is the only system that can 100% protect against an attacker getting remote root.
> There is no such thing as "inferior" but different approaches,
I've been dealing with MAC for 20 years, so I don't find it hard at all, and if people are willing to put in the effort to learn it the reward is worth it. But this is a world where most people want to get home to watch their latest story instead of doing any kind of mental work, and admins are no different.