selinux eradicator?

Fri Jun 29 00:25:03 UTC 2007

Rahul Sundaram wrote:
> Mike McCarty wrote:
> 
>  If he runs behind a
> 
>> hardware firewall, and has all ports closed or "stealthed", then
>> he's as secure as one can be and still have connections.
> 
> 
> SELinux is not related to any traditional firewalls at all just in case 
> someone is confused about that still.

Agreed on this point. I hope what I wrote wouldn't cause anyone
to think otherwise.

[snip]

>> Until such time, efficacy in loading or not loading SELinux
>> to achieve enhanced security is a matter of conjecture, opinion,
>> and personal preference.
> 
> It is very much not conjecture. Use any good search engine and do your 
> own research rather speculate. One point that should be noted is that 

You mean like these security vulnerabilities introduced by SELinux:

http://www.nsa.gov/selinux/list-archive/0306/4468.cfm
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1052
http://www.gentoo.org/security/en/glsa/glsa-200510-22.xml
http://marc.info/?l=selinux&m=105492305125090&w=2
http://osvdb.org/displayvuln.php?osvdb_id=25232

It appears that SELinux can be disabled via a kernel exploit in FC6:

http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html

For another "supporter" whose comments can actually be read as
a criticism, see

http://lwn.net/Articles/111437/

Here's an example of a defect added to the kernel as a result of
attempting to accomodate SELinux

http://projects.info-pull.com/mokb/MOKB-14-11-2006.html

> unlike the original analogy SELinux is a additional security layer and 
> turning it off doesnt not equate to turning off all security measures 

Also agreed that it is an additional security measure, though I wouldn't
use the term "layer".

> and of course the management of SELinux needs and will improve with the 
> continuous development of better user space tools but what the 
> underlying architecture is based on decades of research and work. NSA 
> SELinux site has various docs on this.

Spoken by a True Convert.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!