[CentOS] Saw this and thought warmly of everyone on the list
rado at rivers-bend.com
Tue Sep 19 01:10:57 UTC 2006
On Mon, 2006-09-18 at 20:32 -0400, Jim Perrin wrote:
> > see points for 12 and 13 to substantiate my previous post....
> 12. So it's not 'trusted', big deal neither is linux. That doesn't
> mean that it doesn't provide security benefit to the people who want
> mandatory access controls.
> 13. Note the nod here to physical security and personnel security.
> Selinux adds mandatory access control support to linux. This will help
> prevent some script kiddie from exploiting a hole in php code and
> using you for a spam proxy. It will not however stop someone from
> walking up and ripping out the hard drive to get to your files, or
> protect you from an unguarded shell in the event someone walks off
> while logged in as root.
> > so its not secure and its not trusted and its not going to be B1 and C2
> > evaluated and point 16 is a killer,
> 16. It's not the NSA's job to debug the linux kernel. They did what
> every other developer does and patches it to support their own code.
> If you don't like this one, you should probably stop using computers
> altogether, everyone does this, and its OS agnostic. Hell, for some
> environments, you can't even get the source to attempt to debug it.
> > point 17 is icing on the cake, (I think SElinux is about 6 feet under by
> > now)
> 17. This one is stale, because the FAQ you're linking to hasn't been
> updated since around 2003. RHEL 4 is very much authorized, and very
> much has selinux included, and enabled by default. The second half is
> mostly accurate, as selinux does not give added 'acceptability' to the
> OS, though it does add to the overall security metric used to judge
> system risk.
> > so bring on the flames, your gonna have to do really well to justify it
> > now.... (lol)
> Please refrain from yelling fire in crowded venues, or starting
> flamewars on this mailing list.
> > And all these points are from the authors of SELinux, so save yourself
> > the trouble and disable it...
> You're misinterpreting some of this. SELinux is not a silver bullet to
> secure everything and be easy to use. It has a limited scope, and a
> limited focus. That's the point the 'authors' were making. Lets also
> not forget the that 'authors' here are the NSA. They are
> professionally paranoid, and are amazingly careful and astute when it
> comes to security. Now quit trying to incite a flamewar.
> If selinux helps you, then use it. If it doesn't, then don't. No one
> is twisting your arm and forcing you at gunpoint to use it.... yet.
> The beauty of open source is that it's all about choice. Do what you
> want, so long as you're smart enough to do it.
very good, Jim. I believe you laid it all out where this thread should
be a done deal. I don't use selinux only because it's one of those
"rountoit" thangs.. It seems that if sel* was that bad that RH would
never have it in the os pkg. I don't think I am that far out of line by
stating that most people that don't run it are probably in the same
situation I'm in. I have not studied it yet. And it seems like it's one
of those deals that if you want to run it...you damn sure better
understand it or you are going to find yourself in lots of trouble.
If ya think you smart,you pretty friggin ignorant. If you think you
smart enuf...then you tellin a story, you ready for that challenge!
More information about the CentOS