[CentOS] Saw this and thought warmly of everyone on the list

Wed Sep 20 19:39:24 UTC 2006
Johnny Hughes <mailing-lists at hughesjr.com>

On Wed, 2006-09-20 at 18:10 +0100, Peter Farrow wrote:

<snip>

> Since SElinux seems to spawned as an intern type project and nothing
> more, what I object to is it being enabled by default.

FUD #1

It is not an interim project for RH ... it will be supported for 7 years
in RHEL4 and also if it stays in RHEL5, for 7 years there as well.


> 
> -- when really it should be an option to enable it, which a warning
> that it wasn't tested for vulnerabilities, does not
> add any official security value to Linux and will of course slow the
> system down.

FUD #2

It does add security value to the OS ... you have misquoted the site.  

By limiting the access of certain processes to do things outside certain
directories, you mitigate the damage caused by almost any exploitable
remote root vulnerability ... it does not, however, FIX the
vulnerability.  So, it does not make your system less likely to be
compromised ... it does limit the damage.

Also, the upstream provider does test SELinux ... much like they do for
apache, mysql, etc.  They will patch and feed back problems to that,
just like they do any other package.  

>   Furthermore it adds a layer of
> security obfuscation which will in itself lead to administrators
> making mistakes and inadvertently lowering security
> as it is such a PITA.
> 

FUD #3

It can not lower anything ... if it is misconfigured, it is not any
worse than being off (from a security perspective). All the standard
system setting will apply.

> Unices were configurable to be secure by many a competant
> administrator before this addition of bloat to the OS.
> 
> I choose not to use it, but ocassionally on some of my RHEL installs I
> forget to turn it off, 
> if it is off by default I wouldn't need to keep removing it!
> 

Well ... do you forget to add your database to a database server or
httpd to your web server and have it functino properly?  Probably not.

> What I find most curious is, despite the authors of it claiming
> nothing of any note about it in terms of security,
> and in fact in the link I originally posted the authors go quite some
> way to distance themselves from claiming
> it adds any actual security, and hasn't been tested for
> vulnerabilities as such, that some people still swear by it as
> the gospel truth and the only one true path.  Whilst such religious
> commitment to an unproven cause undoubtedly
> shows good faith, I would add that such blind practices are best left
> to sunday school or the church sermon.

You are just flat out wrong in your assertions ... what they are saying
is that it is not a magic bullet.  It, when used properly in a layered
approach, does make your machines more secure.  chown and chmod do not
add "security" to your server if installed ... however, as tools, when
used properly they certainly can make your server operate more securely.

Choose to use selinux or not ... but stop with the FUD please.

Thanks,
Johnny Hughes

<snip>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060920/256de4eb/attachment-0005.sig>