sundaram at fedoraproject.org
Fri Jun 29 02:42:07 UTC 2007
Mike McCarty wrote:
> Rahul Sundaram wrote:
>> Mike McCarty wrote:
>>> What they show is that there are provable DISadvantages. No amount
>>> of weighing advantages on one side vs. disadvantages on the other
>>> is going to amount to proof of whether any individual person should
>>> or should not use it.
>> No but you argument was that the advantages are merely conjecture and
>> that is very clearly false.
> No, that was not my argument. My argument is that people are
> commenting from a position of conjecture. There is no scientific
> conclusive study showing that SELinux unarguably improves
> security of machines.
There is. SELinux is MAC security framework and is based on scientific
studies over decades which clearly show their advantages. Again read
some of the work at NSA SElinux site.
> Not one attack on my machine has made it past my router. Not one.
> My router sometimes logs thousands of attempts per month. I've been
> running since about October 2005. I'd say it's pretty debatable that my
> machine would be more secure with SELinux enabled.
A machine running SELinux enabled is provably more secure than a machine
running merely a firewall or router. They are not comparable security
> Yes, they do. Because currently the onus is still on the
> side of proponents of SELinux to show that it is conclusively
> better than what already exists
... which they already have for those who bother to look.
> I quote:
> "the management of SELinux needs and will improve with the continuous
> development of better user space tools"
> That is faith, not a matter of technical fact.
It is a fact because actual development work is being done on these user
space tools as it has happened over several Fedora releases. It is
undeniable and easily verifiable that SELinux user space tools have
improved very heavily from the early introduction during FC2 time frame.
> I did not respond to what you wrote, you responded to me. I saw
> Karl ask for a change to FC which I thought was reasonable.
> I saw a response which was not a reasonable one, and responded
> to it.
You actually missed out my very reasonable and clear answer and I had to
respond to you again to point out that I have already answered the
question you were asking which is not a new one and has been answered
many times before and you have made several incorrect assumptions about
SELinux which I had to correct.
So again, completely removing all SELinux libraries (as opposed to
merely turning it off) is very intrusive and significant amount of
effort that does not offer any significant advantages but if you want
really want to put the effort and send patches you are welcome to do so.
It is certainly easier than creating a different spin however which you
were advocating for.
More information about the fedora-list