[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?



Tim: 
>> One of the (almost) unsung benefits of it is to do with created
>> software.  
>> 
>> If the programmers use a system with SELinux, they're forced into
>> writing their software better.  And we end up with software which

Mike McCarty: 
> They are forced into writing it SELinux aware. That is not
> part of my definition of "better".

This is you trying to fit it into your blinkered view.  You harp on
about it being about mitigating already compromised machines, which is
an over-simplification to the point of being stupidly and utterly wrong.

Ignoring your ignorance, for the moment.  If you read what I wrote, and
snipped off.  Writing to support working with SELinux means writing
software in a better manner so that it doesn't expect to be able to do
things that it shouldn't be allowed to (accessing files it has no
business doing so, being executable in places that it shouldn't, and so
on).  It's *that* sort of thing that makes for better programming.  If
you can't grasp that, you're not up to the task of programming in a safe
manner.

> Note that SELinux does not attempt to make a machine more
> secure, except in a very general sense. It attempts to mitigate
> damage on a machine WHICH IS ALREADY COMPROMISED.

Bollocks!

> It does little AFAICT to prevent compromise.

Oh do some research!

-- 
[tim bigblack ~]$ uname -ipr
2.6.22.5-76.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]