selinux eradicator?

Mike McCarty Mike.McCarty at
Fri Jun 29 02:17:40 UTC 2007

Rahul Sundaram wrote:
> Mike McCarty wrote:
>> What they show is that there are provable DISadvantages. No amount
>> of weighing advantages on one side vs. disadvantages on the other
>> is going to amount to proof of whether any individual person should
>> or should not use it.
> No but you argument was that the advantages are merely conjecture and 
> that is very clearly false.

No, that was not my argument. My argument is that people are
commenting from a position of conjecture. There is no scientific
conclusive study showing that SELinux unarguably improves
security of machines. What is conjecture is that any given machine
running SELinux is more secure than it would be not running

Not one attack on my machine has made it past my router. Not one.
My router sometimes logs thousands of attempts per month. I've been
running since about October 2005. I'd say it's pretty debatable that my
machine would be more secure with SELinux enabled.

>  > Partially, my point is that any time one modifies any package, no
>> matter for what reason, there is the opportunity to introduce
>> defects. 
> This is a generic argument and you can apply it to any piece of code and 
> indeed against new development.  These overtly generic arguments bring 
> nothing useful to the discussion.

Yes, they do. Because currently the onus is still on the
side of proponents of SELinux to show that it is conclusively
better than what already exists. The current argument is still
in the stage wherein one should view SELinux with a jaundiced
eye, and ask "Why should I add still more code, and its
associated defects and vulnerabilities, to my computer?"
rather than provide arguments not to.

Installing and running SELinux closes certain types of holes,
and opens up some others. It is a certainty that running
SELinux makes a machine more vulnerable in some respects.
It is also a certainty that it increases the irritation factor
in using what is actually a single user computer sitting on
my desktop. It is possible that in some theoretical sense
it improves the security of such a machine against attacks
which will never actually occur. It is also possible that
my router will some day allow someone into my machine.

OTOH, I do regular backups of all the information on my machine
which I would miss if it were destroyed. This is something I
do because I know that some day my machine will have a physical

Also, I don't keep dangerous information on my machine, like
bank account numbers.

>> You expressed faith, which is purely personal. How else am I to comment?
>> Keep your own comments technical, and you won't evoke such kinds of
>> responses.
> No my comments were purely technical and had technical references and 
> had nothing to do with faith.  We aren't talking about religion here.

I quote:

"the management of SELinux needs and will improve with the continuous 
development of better user space tools"

That is faith, not a matter of technical fact.


> discussions on this that you can refer to first) and send patches.  That 
> would much more reasonable that theoretical discussions.

I did not respond to what you wrote, you responded to me. I saw
Karl ask for a change to FC which I thought was reasonable.
I saw a response which was not a reasonable one, and responded
to it. This is not a "theoretical" matter. A fellow was being
roundly and unreasonably criticized for not wanting to run

If I saw a request here asking how one would make root not
have a password, I might comment that IMO it was a bad idea,
but I wouldn't use sarcastic criticism[*] to try to convince
him of that idea. I would supply the information on how to
do it. Certainly, until one knows what the eventual goal
of someone else it, it doesn't make sense to criticize
it. Having root have no password is a reasonable thing for
a LiveCD, for example.

[*] I don't mean to imply that you have been sarcastic at
all. You've been a polite gentleman.

Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!

More information about the fedora-list mailing list