SElinux

[Mike McCarty]

Eugen Leitl wrote:
> On Tue, Apr 04, 2006 at 01:51:13AM -0500, Mike McCarty wrote:
> 
> 
>>>I guess it's a throw out the baby with the bathwater thing.
>>
>>[snip]
>>
>>I consider it throwing out the hogwash. IMO, SELinux is a
>>wrong-headed approach to security.
> 
> 
> I disagree. Things like SELinux/RSBAC/grsecurity+PaX can add a further
> defense layer in system hardening.

If someone gets through, then you are compromised. SELinux might
(repeat, might) somewhat reduce the damage. But if you get rooted,
then the infiltrator can change the policy just like you can.
Every additional piece of software which is on your machine is
another potential hole in your security, especially one which
runs at kernel level. And just plain defects which can corrupt
your system entirely is another issue.

You and all are welcome to do what you like about SELinux.
It doesn't and won't run on any of my machines.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!