selinux eradicator?
Rahul Sundaram
sundaram at fedoraproject.org
Thu Jun 28 23:47:32 UTC 2007
Mike McCarty wrote:
If he runs behind a
> hardware firewall, and has all ports closed or "stealthed", then
> he's as secure as one can be and still have connections.
SELinux is not related to any traditional firewalls at all just in case
someone is confused about that still.
SELinux
> does not provide (AFAIK) any way to prevent compromise, only
> an attempt at containment after compromise.
Incorrect. It can do both.
AFAIK, no one has actually done any
> scientific study as to whether a machine with SELinux active on it be
> any more secure than otherwise.
If you consider practical situations where SELinux has prevented or
mitigated the issue there are many. There has been innumerous studies on
the effectiveness of MAC based security over traditional DAC security
and they are scientific ones. Use google.
> Until such time, efficacy in loading or not loading SELinux
> to achieve enhanced security is a matter of conjecture, opinion,
> and personal preference.
It is very much not conjecture. Use any good search engine and do your
own research rather speculate. One point that should be noted is that
unlike the original analogy SELinux is a additional security layer and
turning it off doesnt not equate to turning off all security measures
and of course the management of SELinux needs and will improve with the
continuous development of better user space tools but what the
underlying architecture is based on decades of research and work. NSA
SELinux site has various docs on this.
Rahul
More information about the fedora-list
mailing list