[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?



On Friday 21 September 2007, Ed Greshko wrote:
>Gene Heskett wrote:
>> I have a firewall that has so far been bulletproof.  Its called dd-wrt,
>> run on an old scrap x86 box, booting busybox from a cf card, no drives in
>> it & only 2 fans.
>
>I'm not sure why you are comparing the functions of SELinux with the
>functions of a firewall.  It would be nice to hear your interpretation of
>the issues that SELinux targets v.s. what a Firewall targets.  If you think
>they serve the same functions it would be nice if you would cite your
> source.

Several people have referred to 'that hacker' getting into the system, which 
is how I at least made the connection to a firewall.  And to me, the firewall 
function of standing guard between my stuff and the rest of the planet is at 
least 10,000 times more important than silently, no log was generated, 
blocking off any and all access to the hardware data ports (usb and serial) 
even when that file says SELINUX=disabled.

In truth, and from the clues this old troubleshooter has detected, the only 
thing disabled by the above line is the logging, selinux is still standing 
behind the user, with a baseball bat hitting you in the back of the knee 
joints but using a pillow to muffle the noise.  But that will be denied 
vociferously by those whose purpose it is to see to it that we run with it 
enabled.  If you don't believe that, just watch this space...

Questions that need answered _here_, where the whole list will read them are:

Why do the supposed selinux functions, if 10,000% less important than a 
firewall (my personal estimation anyway) seem to take 10,000 times more 
maintenance than the far more important firewall?

And why is it that any "refutation of my claims messages" all have little or 
nothing to say except point the reader to other net locations where the 
propaganda to be read was written by someone WITH an agenda.

And why is it that an error if logged, can't it be grepped for in the 
man-pages and the correct command line option to fix it be found?

I suppose the theory there is not to make it too simple for the hacker to fix, 
but if the hacker has gotten to that point, I'll submit that you already have 
a hell of a lot bigger problem than selinux is ever going to fix.

Rant/Observation:

Its a 'solution' looking for a 'problem' and if it can't find a problem, it 
will make 10 problems just for spite.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
That's easy to fix, but I can't be bothered.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]