[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Peter Farrow peter at farrows.org
Fri Nov 25 23:09:31 UTC 2005


Some you seem to be drowning in the "complex=secure" scenario.

SELinux adds complexity, the biggest dangers in computer hacking come 
from within your own network.

90% of hacking jobs are in house as the statistics show.

SELinux makes security complex and bloat like, the same thing that makes 
Windows insecure, this makes the admin job harder, which will lead to 
mistakes, which will make it hard to find holes, which will inevitably 
lead to a less secure system.... QED.

Perhaps all of you that _LOVE_ SElinux so much should branch off to a 
new flavour of Linux,

I propose that you name it BloatOS,

Just keep it well away from me.

My boxes have SELinux=disabled on all of them (thats a big number by the 
way).

I don't need it, those sysadmins who feel they need to use, sure go 
ahead and use it, but please don't take the morale high ground saying 
using it is definately better and more secure, because I find that kind 
of talk irritating because it is so wrong.

One thing is for sure, SELinux slows the box down, which perhaps you 
could start arguing that "aah yes the box is so much slower now, it wil 
take a hacker longer to get in - hey SElinux really is secure for that 
reason alone" -- ROTFLOL....

I think you should rename this thread BloatOS.

You could then write shell script called "unbloat" or "speedup"

I propose it contains

rpm -e  libselinux-1.19.1-7  selinux-policy-targeted-1.17.30-2.110 
libselinux-devel-1.19.1-7

Maybe that too has some marketing mileage, you could sell this script as 
a box performance enhancer,

LOL


Les Mikesell wrote:

>On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
>
>  
>
>>Maybe I'm wrong, but I think any admin needs to experience having their box 
>>cracked.  It will produce the humbleness necessary to the trade, because 
>>overconfidence is dangerous.
>>    
>>
>
>Yes, but when the box gets cracked _because_ they are using the
>latest new thing their distribution added under the guise of
>increased security, as happened with ssh a while back, it
>also produces the attitude that new stuff should soak a long,
>long while in a distribution like fedora before going onto
>production boxes.  You want to at least wait until the surprises
>stop - and I take the flurry of reports of broken apps at
>every update as an indication that they haven't stopped yet.
>
>Your analogy to a weapon was a good one.  When the experts
>tuning the distribution still can't keep it from blowing
>up in peoples's faces some of the time, normal people should
>keep their distance.  When the fedora and Centos lists go
>several months without a mysterious app failure caused by
>SELinux it will be time to reconsider.
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20051125/41f16a7a/attachment.htm


More information about the CentOS mailing list