SELinux removed from desktop cd spin?
Douglas McClendon
dmc.fedora at filteredperception.org
Thu Jan 17 06:14:02 UTC 2008
Andrew Farris wrote:
> Douglas McClendon wrote:
>> <rant>
>>
>> I wish I could say that I'm sorry to crush your hopes, but I'm really
>> not. Despite what I've said in the past, I have the utmost respect
>> for selinux and security. But what I don't have any respect for is
>> people of your mind, who myopically just see "increased security".
>> People who view security that way IMO contribute to some of the worst
>> cancers against humanity.
>>
>> This is just standard rhetoric that I shouldn't be wasting my time
>> repeating here, but security is ALWAYS a balance and a tradeoff
>> against other *values*, and never an absolute.
>
> Sounds like politically charged nonsense, not rhetoric related to
> computer security.
>
>> When selinux is the right tool for the job, bringing a greater benefit
>> to the system at hand than the costs involved with using it, then
>> great. But to claim that it should remain in "*all* of the fedora
>> spins" is IMO utterly wrong, and a narrow vision of what fedora could
>> be useful for. There are times and applications where selinux is JUST
>> NOT WORTH IT. I'm not saying it's the majority of the time, or even
>> >1%. But if fedora is (to be) used in tens of millions of systems, 1%
>> of that is actually a *significant* number.
>>
>> If only I could waterboard the fuck out of all the loyal bushies that
>> see "national security" as the *only* value to be measured when making
>> a decision.
>
> Humanity and liberty are so important to you that you want to torture
> people (and evidently not to gather information because you know it
> already). Clearly we're learning something here.
>
>> There are times when you let innocent people die and get hurt by
>> terrorists, because the values sacrificed in making a decision that
>> could and does stop the terrorists, are MORE IMPORTANT than a narrow
>> short term view of "national security".
>
> "Essential Liberty vs. Temporary Freedom". Yes, liberty is important,
> but largely unrelated to whether you have selinux present in your
> favorite spin.
>
> SELinux *should* be in every official Fedora spin, especially those to
> be used on networked computer systems. But it should also be possible
> to turn it off and/or uninstall it, and be possible to build custom
> packages for embedded processing applications without it... but if I
> want an embedded linux with selinux enabled why shouldn't it be there
> available?
Since I love politically charged discussions- What you just said is
similar to the logical difference between
a) not mandating that evolution to be taught as a theory in schools
vs
b) mandating that evolution not be taught as a theory in schools.
I.e., I whole heartedly agree with you that if you want an embedded
linux with selinux enabled, it SHOULD be available.
But my holding that opinion does not change the fact that I also hold
the opinion that at some point down the road, there should be an
official fedora spin that comes with selinux disabled.
Clearly since I work on livecd-tools and the like, I am all for making
it as easy as possible to create variants.
But really, since I know how easy it is to just spin a distro of linux
wiht 99.9999% the same code base as fedora, that just isn't called
fedora, I don't *REALLY* care about this technical issue very much, and
I *REALLY* was just doing some soapboxing. But I think the political
and technical points I made (computer security, national security) are
not so disjoint that it is useless to speak of them in the same breath.
>
> Choice (somehow related to Liberty in your rant) does not mean you get
> to choose what is present all the time, it means you get to choose
> whether to use it or not. The presence of selinux does not infringe on
> your 'choice'. The preference of one person to have it in all spins
> does not infringe on your 'choice'. More importantly, the desire of
> some to improve computer security around the globe does not prevent you
> from running open boxes with blank root passwords... the choice is yours
> how insecure you want it.
I agree with every bit of that. Not sure what you thought I meant that
was different.
>
>> I sincerely hope that what I've said will cause you to think a little
>> more before uttering "I hope everyone agrees with me that more
>> security is always better" again. But I welcome you to crush my hopes
>> as I've just crushed yours.
>
> SELinux can and very likely will protect computer systems for
> terrorist's use just as easily as anyone else, since it is 1) free, 2)
> available to the entire known universe; it therefore has nothing
> whatsoever to do with US national security in the context of your
> 'rhetoric' and poorly argued politics.
I was really talking about whether the choice to use torture to improve
national security, without considering the other values lost in the
decision, was a wise one to make.
The parallel was whether or not the choice to *ALWAYS* use selinux to
improve computer security, without considering the other values
(bloat/performance degradation/user frustration), was not a wise one to
make.
But sometimes the subtlety of my logic goes over people's heads.
-dmc
More information about the fedora-devel-list
mailing list