selinux eradicator?
Mike McCarty
Mike.McCarty at sbcglobal.net
Fri Jun 29 00:25:03 UTC 2007
Rahul Sundaram wrote:
> Mike McCarty wrote:
>
> If he runs behind a
>
>> hardware firewall, and has all ports closed or "stealthed", then
>> he's as secure as one can be and still have connections.
>
>
> SELinux is not related to any traditional firewalls at all just in case
> someone is confused about that still.
Agreed on this point. I hope what I wrote wouldn't cause anyone
to think otherwise.
[snip]
>> Until such time, efficacy in loading or not loading SELinux
>> to achieve enhanced security is a matter of conjecture, opinion,
>> and personal preference.
>
> It is very much not conjecture. Use any good search engine and do your
> own research rather speculate. One point that should be noted is that
You mean like these security vulnerabilities introduced by SELinux:
http://www.nsa.gov/selinux/list-archive/0306/4468.cfm
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1052
http://www.gentoo.org/security/en/glsa/glsa-200510-22.xml
http://marc.info/?l=selinux&m=105492305125090&w=2
http://osvdb.org/displayvuln.php?osvdb_id=25232
It appears that SELinux can be disabled via a kernel exploit in FC6:
http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
For another "supporter" whose comments can actually be read as
a criticism, see
http://lwn.net/Articles/111437/
Here's an example of a defect added to the kernel as a result of
attempting to accomodate SELinux
http://projects.info-pull.com/mokb/MOKB-14-11-2006.html
> unlike the original analogy SELinux is a additional security layer and
> turning it off doesnt not equate to turning off all security measures
Also agreed that it is an additional security measure, though I wouldn't
use the term "layer".
> and of course the management of SELinux needs and will improve with the
> continuous development of better user space tools but what the
> underlying architecture is based on decades of research and work. NSA
> SELinux site has various docs on this.
Spoken by a True Convert.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list