[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: "Many" happy selinux users nowadays



Andy Green wrote:

[snip]

It's obviously up to you how you deal with that, but I strongly believe
that you can't inherently trust machines on any internal network any

My issues with SELinux are:

(1) it is wrong-headed
(2) it is pervasive
(3) it has defects, and always will

The additional "security" it offers to an already compromised
system is debatable. This thread proves it. That it causes
additional admin is not debatable. So, there are costs associated
with using it. Whether those costs are justified by the perceived
threat is a subjective, and I would argue EVEN IF IT IS IN SOME
CIRCUMSTANCES USEFUL[*] installation dependent, matter.

SELinux might protect against a malicious intruder who is already
on your machine. I don't have any. There are exactly three users
defined on my machine who can actually log on:

root
me
another guy who no longer has access to my machine, a friend.

My machine sits behind a hardware firewall which doesn't
even respond to attempts to access, except for the e-mail
port, which is closed. Perusal of the logs on my machine
show not even one attempt to gain access. Perusal of the
logs on the firewall show numerous attempts to gain access.

I don't download and execute other people's programs.

I don't permit Java or Javascript to run on my machine.

I don't permit my mailer to use links or to download images.

You have to mix in the level of grief to implement it.  For example
everyone keeps agreeing that the initscripts and especially shutdown can
be made MUCH better, but it's so frightening to take care of everything
with minimal breakage that somehow Fedora doesn't seem to get anywhere
with it (over years).

I don't know to what you refer.

[*] I don't subscribe to this, but even if it is stipulated,
in that case it's still an installation-dependent matter.
Even if SELinux were actually useful, which I do not admit,
not all installations would have the additional security
benefit justify the additional overhead.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]