sds at tycho.nsa.gov
Tue Jul 5 16:14:42 UTC 2005
On Tue, 2005-07-05 at 10:42 -0500, alex at milivojevic.org wrote:
> Sorry, it wasn't my intention to blame the messanger. All I wanted to
> say (and
> as usually badly expressing myself) was that making system secure is a complex
> task. Simply having SELinux enabled on the system does not make the system
> ultimately secure. Making changes to default policies without fully
> understanding what the changes will introduce just makes it even less secure.
> Example: On several Linux-end-users type of lists I already saw posters with
> good intentions giving advice to include this or that rules into the policy to
> solve various problems, just to have other people screeming in replies that
> those including such rules into their policy could just as well disable
> completely with about the same effects.
> If somebody Googles around to find solution to the specific problem and finds
> advice to do "chmod -R a+rw /", (s)he is not likely to actually do it. On the
> other hand, there is many more people that will include some random set of
> rules into their SELinux policy, giving application(s) way more access then
> they really need. Nothing to do with SELinux as such, and it would be
> wrong to
> blame it. But rather with human nature (which is the weakest link of any
> security system).
Yes, understood. And as I say, there is ongoing work to make (correct)
policy configuration much more accessible to typical end users.
National Security Agency
More information about the fedora-selinux-list