selinux eradicator?
Mike McCarty
Mike.McCarty at sbcglobal.net
Fri Jun 29 03:31:49 UTC 2007
Rahul Sundaram wrote:
> Mike McCarty wrote:
>
>>
>> No, that was not my argument. My argument is that people are
>> commenting from a position of conjecture. There is no scientific
>> conclusive study showing that SELinux unarguably improves
>> security of machines.
>
>
> There is. SELinux is MAC security framework and is based on scientific
> studies over decades which clearly show their advantages. Again read
> some of the work at NSA SElinux site.
Mandatory Access Control is not a thing, it is a technique. SELinux
is a thing, which may or may not be a good implementation of MAC.
>> Not one attack on my machine has made it past my router. Not one.
>> My router sometimes logs thousands of attempts per month. I've been
>> running since about October 2005. I'd say it's pretty debatable that my
>> machine would be more secure with SELinux enabled.
>
> A machine running SELinux enabled is provably more secure than a machine
> running merely a firewall or router. They are not comparable security
> technologies.
A machine running current SELinux implementation is provably
less secure in some senses than one which is not.
>> Yes, they do. Because currently the onus is still on the
>> side of proponents of SELinux to show that it is conclusively
>> better than what already exists
>
>
> ... which they already have for those who bother to look.
I have already demonstrated that I have looked, I just disagree
with you.
>> I quote:
>>
>> "the management of SELinux needs and will improve with the continuous
>> development of better user space tools"
>>
>> That is faith, not a matter of technical fact.
>
> It is a fact because actual development work is being done on these user
It is faith that SELinux will survive at all.
[snip]
> So again, completely removing all SELinux libraries (as opposed to
> merely turning it off) is very intrusive and significant amount of
> effort that does not offer any significant advantages but if you want
> really want to put the effort and send patches you are welcome to do so.
> It is certainly easier than creating a different spin however which you
> were advocating for.
Erm, ADDING SELinux was an intrusive effort, which is now difficult
to undo.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list