SElinux

[Craig White]

On Tue, 2006-04-04 at 01:49 -0500, Mike McCarty wrote:
> Craig White wrote:
> > On Sun, 2006-04-02 at 19:43 -0500, Les Mikesell wrote:
> > 
> >>On Sun, 2006-04-02 at 18:23, Craig White wrote:
> >>
> >>
> >>>All of the discussion about gui
> >>>tools is self serving attempts to provide a smoke screen to the basic
> >>>issue...that the sysadmin doesn't want to commit the time and energy to
> >>>learning how to deal with it. The logical extension that I add to that
> >>>is this unwilling system admin is not professional and will take the
> >>>easy road, much like failure to implement password policies discussed a
> >>>few days ago, etc. as this behavior is endemic and not likely reserved
> >>>to just selinux.
> >>
> >>Or, an equally valid view is that the sysadmin in question has
> >>learned from experience that every new-and-different extension
> >>to the basic unix system promoted by one or a few vendors has
> >>historically not turned out to be necessary and sometimes
> >>introduced new problems.  A wait-and-see attitude isn't such
> >>a bad thing.  When it is proven, you might expect all distributions
> >>to ship it.
> > 
> > ----
> > Of course the only people who are making these types of arguments are
> > those that haven't invested the time to figure it out. Where are the
> > knowledgeable admins that have taken the time to understand SELinux and
> > come to the conclusion that it is not of sufficient value to implement?
> 
> Well, Craig, I suppose that depends on how one defines "knowlegeable
> admin". The truly knowlegeable ones are the ones who look out for
> the company's bottom line, and trade off cost of compromise with
> cost of administration. IMO, SELinux breaks more things than it
> "fixes", and those truly interested in security provide it
> via physical access, firewalls, and DMZs, not glorified ACLs.
> 
> One thing I used to remind my engineers (when I was technical lead)
> was "if it isn't in the requirements spec, it doesn't go into
> the software", because every line of code is one more place for
> a defect to hide. So I'm sure that SELinux has a number of
> exploitable defects itself.
----
Sure have a lot of of opinions for someone whose only exposure to
SELinux is FC-2, which is now 3 generations old in the Fedora world and
represented the first appearance of both the 2.6 kernel and SELinux.
Seeing as how it's been a very long time since only security errata is
released for FC-2, your exposure to SELinux is largely irrelevant. 

Like everything else, there are plusses and minuses but if you believe
in the layers you listed above (physical access, firewalls, DMZ's ACL's,
whether glorified or not), then surely you must realize that SELinux
represents another layer of security. Yet you choose to criticize it,
not surprisingly, without any intimacy with the technology.

As for my definition of a knowledgeable admin...that would encompass
sufficient knowledge of the technology before one decided that it wasn't
worthwhile.

Craig