selinux eradicator?

Mike McCarty Mike.McCarty at sbcglobal.net
Fri Jun 29 03:31:49 UTC 2007


Rahul Sundaram wrote:
> Mike McCarty wrote:
> 
>>
>> No, that was not my argument. My argument is that people are
>> commenting from a position of conjecture. There is no scientific
>> conclusive study showing that SELinux unarguably improves
>> security of machines.
> 
> 
> There is. SELinux is MAC security framework and is based on scientific 
> studies over decades which clearly show their advantages. Again read 
> some of the work at NSA SElinux site.

Mandatory Access Control is not a thing, it is a technique. SELinux
is a thing, which may or may not be a good implementation of MAC.

>> Not one attack on my machine has made it past my router. Not one.
>> My router sometimes logs thousands of attempts per month. I've been
>> running since about October 2005. I'd say it's pretty debatable that my
>> machine would be more secure with SELinux enabled.
> 
> A machine running SELinux enabled is provably more secure than a machine 
> running merely a firewall or router.  They are not comparable security 
> technologies.

A machine running current SELinux implementation is provably
less secure in some senses than one which is not.

>> Yes, they do. Because currently the onus is still on the
>> side of proponents of SELinux to show that it is conclusively
>> better than what already exists
> 
> 
> ... which they already have for those who bother to look.

I have already demonstrated that I have looked, I just disagree
with you.

>> I quote:
>>
>> "the management of SELinux needs and will improve with the continuous 
>> development of better user space tools"
>>
>> That is faith, not a matter of technical fact.
> 
> It is a fact because actual development work is being done on these user 

It is faith that SELinux will survive at all.

[snip]

> So again, completely removing all SELinux libraries (as opposed to 
> merely turning it off) is very intrusive and significant amount of 
> effort that does not offer any significant advantages but if you want 
> really want to put the effort and send patches you are welcome to do so. 
> It is certainly easier than creating a different spin however which you 
> were advocating for.

Erm, ADDING SELinux was an intrusive effort, which is now difficult
to undo.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!




More information about the fedora-list mailing list