<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<pre wrap="">> If selinux helps you, then use it. If it doesn't, then don't. No one
<span class="moz-txt-citetags">> </span>is twisting your arm and forcing you at gunpoint to use it.... yet.
<span class="moz-txt-citetags">> </span>The beauty of open source is that it's all about choice. Do what you
<span class="moz-txt-citetags">> </span>want, so long as you're smart enough to do it.</pre>
<br>
Since SElinux seems to spawned as an intern type project and nothing
more, what I object to is it being enabled by default.<br>
<br>
-- when really it should be an option to enable it, which a warning
that it wasn't tested for vulnerabilities, does not<br>
add any official security value to Linux and will of course slow the
system down. Furthermore it adds a layer of<br>
security obfuscation which will in itself lead to administrators making
mistakes and inadvertently lowering security<br>
as it is such a PITA.<br>
<br>
Unices were configurable to be secure by many a competant administrator
before this addition of bloat to the OS.<br>
<br>
I choose not to use it, but ocassionally on some of my RHEL installs I
forget to turn it off, <br>
if it is off by default I wouldn't need to keep removing it!<br>
<br>
What I find most curious is, despite the authors of it claiming nothing
of any note about it in terms of security,<br>
and in fact in the link I originally posted the authors go quite some
way to distance themselves from claiming<br>
it adds any actual security, and hasn't been tested for vulnerabilities
as such, that some people still swear by it as<br>
the gospel truth and the only one true path. Whilst such religious
commitment to an unproven cause undoubtedly<br>
shows good faith, I would add that such blind practices are best left
to sunday school or the church sermon.<br>
<br>
P.<br>
<br>
<br>
<br>
rado wrote:
<blockquote cite="mid1158628257.31881.48.camel@rbadmin.rivers-bend.com"
type="cite">
<pre wrap="">On Mon, 2006-09-18 at 20:32 -0400, Jim Perrin wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">see points for 12 and 13 to substantiate my previous post....
</pre>
</blockquote>
<pre wrap="">12. So it's not 'trusted', big deal neither is linux. That doesn't
mean that it doesn't provide security benefit to the people who want
mandatory access controls.
13. Note the nod here to physical security and personnel security.
Selinux adds mandatory access control support to linux. This will help
prevent some script kiddie from exploiting a hole in php code and
using you for a spam proxy. It will not however stop someone from
walking up and ripping out the hard drive to get to your files, or
protect you from an unguarded shell in the event someone walks off
while logged in as root.
</pre>
<blockquote type="cite">
<pre wrap="">so its not secure and its not trusted and its not going to be B1 and C2
evaluated and point 16 is a killer,
</pre>
</blockquote>
<pre wrap="">16. It's not the NSA's job to debug the linux kernel. They did what
every other developer does and patches it to support their own code.
If you don't like this one, you should probably stop using computers
altogether, everyone does this, and its OS agnostic. Hell, for some
environments, you can't even get the source to attempt to debug it.
</pre>
<blockquote type="cite">
<pre wrap="">point 17 is icing on the cake, (I think SElinux is about 6 feet under by
now)
</pre>
</blockquote>
<pre wrap="">17. This one is stale, because the FAQ you're linking to hasn't been
updated since around 2003. RHEL 4 is very much authorized, and very
much has selinux included, and enabled by default. The second half is
mostly accurate, as selinux does not give added 'acceptability' to the
OS, though it does add to the overall security metric used to judge
system risk.
</pre>
<blockquote type="cite">
<pre wrap="">so bring on the flames, your gonna have to do really well to justify it
now.... (lol)
</pre>
</blockquote>
<pre wrap="">Please refrain from yelling fire in crowded venues, or starting
flamewars on this mailing list.
</pre>
<blockquote type="cite">
<pre wrap="">And all these points are from the authors of SELinux, so save yourself
the trouble and disable it...
</pre>
</blockquote>
<pre wrap="">You're misinterpreting some of this. SELinux is not a silver bullet to
secure everything and be easy to use. It has a limited scope, and a
limited focus. That's the point the 'authors' were making. Lets also
not forget the that 'authors' here are the NSA. They are
professionally paranoid, and are amazingly careful and astute when it
comes to security. Now quit trying to incite a flamewar.
If selinux helps you, then use it. If it doesn't, then don't. No one
is twisting your arm and forcing you at gunpoint to use it.... yet.
The beauty of open source is that it's all about choice. Do what you
want, so long as you're smart enough to do it.
</pre>
</blockquote>
<pre wrap=""><!---->
very good, Jim. I believe you laid it all out where this thread should
be a done deal. I don't use selinux only because it's one of those
"rountoit" thangs.. It seems that if sel* was that bad that RH would
never have it in the os pkg. I don't think I am that far out of line by
stating that most people that don't run it are probably in the same
situation I'm in. I have not studied it yet. And it seems like it's one
of those deals that if you want to run it...you damn sure better
understand it or you are going to find yourself in lots of trouble.
John Rose
</pre>
</blockquote>
</body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by the
<a href="http://www.enhancion.net/"><b>Enhancion</b></a> system scanner,
<br />and is believed to be clean.
</html>