selinux eradicator?

[Karl Larsen]

Mike McCarty wrote:
> David Boles wrote:
>> on 6/28/2007 3:13 PM, Karl Larsen wrote:
>>
>
> [that he disabled SELinux]
>
>> Good for you!!!!
>>
>> What you just did was something like:
>>
>> Build a house.
>> Put everything valuable that you own into it.
>> Disable all of the locks.
>> Open all of the windows and doors.
>>
>> And then walk away.
>>
>> Makes it really easy for the 'bad guys' to steal, or break, your stuff.
>> Like that guy at the University that you mentioned earlier.
>
> This is a completely unreasonable comparison.
>
> First:
>
> You have no idea how secure or insecure his machine is. Any machine
> with external access via modem etc. is insecure. Once one has such
> access, then one has only relative security. If he runs behind a
> hardware firewall, and has all ports closed or "stealthed", then
> he's as secure as one can be and still have connections. SELinux
> does not provide (AFAIK) any way to prevent compromise, only
> an attempt at containment after compromise.
>
> Second:
>
> I've seen industry estimates of approximately one defect per
> 50 non-commentary source code lines. How many lines of code are in
> SELinux? Divide by 50, and that's the estimated number of defects
> being introduced by loading that software onto your machine. So,
> loading SELinux onto your machine provides more opportunity for
> compromise via defect exploit. AFAIK, no one has actually done any
> scientific study as to whether a machine with SELinux active on it be
> any more secure than otherwise.
>
> Until such time, efficacy in loading or not loading SELinux
> to achieve enhanced security is a matter of conjecture, opinion,
> and personal preference.
>
> Mike
    Hi Mike, exactly. I have DSL Internet and the 4 port router has 
hardware firewall and then you hit the red hat linux firewall and then 
you try to guess the root password or ANY password and then your in.

In 12 years no-one has made it. Been close however.

Karl