selinux eradicator?

[Jim Cornette]

Mike McCarty wrote:
> Jim Cornette wrote:
>> Mike McCarty wrote:
>>
>>>
>>> A machine running current SELinux implementation is provably
>>> less secure in some senses than one which is not.
>>>
>>
>>  From a very recent security update for httpd.
>>
>> Update Information:
>>
>> The Apache HTTP Server did not verify that a process was an
> 
> [snip]
> 
> And I gave a few examples where running SELinux caused
> the machine to be more vulnerable.
> 
> [snip]
> 
>> Just a passing example.
> 
> Indeed. Just as passing as the ones I gave. Read what I
> wrote above. I put in "in some senses" for a reason.

I'll have to check out the info related to vulnerabilities. SELinux 
seems to be more of a system for denials rather than privilege escalation.

> 
> SELinux improves security in some senses, and reduces it
> in some other senses. It also unarguably makes administration
> of a machine more complex and involved. Whether the extra
> benefit be worth the extra complexity and vulnerabilites
> should be a personal decision at present.

No doubt the choice should be up to the person responsible for running 
the computer.

> Mike


-- 
Interfere?  Of course we should interfere!  Always do what you're
best at, that's what I say.
		-- Doctor Who