selinux eradicator?
Rahul Sundaram
sundaram at fedoraproject.org
Fri Jun 29 03:47:13 UTC 2007
Mike McCarty wrote:
> Rahul Sundaram wrote:
>> Mike McCarty wrote:
>>
>>>
>>> No, that was not my argument. My argument is that people are
>>> commenting from a position of conjecture. There is no scientific
>>> conclusive study showing that SELinux unarguably improves
>>> security of machines.
>>
>>
>> There is. SELinux is MAC security framework and is based on scientific
>> studies over decades which clearly show their advantages. Again read
>> some of the work at NSA SElinux site.
>
> Mandatory Access Control is not a thing, it is a technique. SELinux
> is a thing, which may or may not be a good implementation of MAC.
There is lots of good evidence that SELinux is a good implementation. An
example of this is LSPP and RBAC certification of RHEL 5 based on
SELinux technology. You have zero practical experience with it.
> I have already demonstrated that I have looked, I just disagree
> with you.
You haven't demonstrated that you looked at any of the research since
you made obviously incorrect speculations about it in your earlier mails.
> It is faith that SELinux will survive at all.
This is too broad a statement and speculative to be meaningful.
> Erm, ADDING SELinux was an intrusive effort, which is now difficult
> to undo.
Nobody claimed it was easy to introduce a fundamental new security
paradigm. You just prove my point that the effort to not install SELinux
libraries offers pretty much no advantage over merely enabling or
disabling it as required.
Rahul
More information about the fedora-list
mailing list