On Sat, 2005-11-19 at 06:50, Bryan J. Smith wrote:
I keep hearing about alleged "bugs" and "holes" and possible "exploits" for SELinux. Please, _please_ understand that SELinux is like NetFilter, a supervisory kernel subsystem that _only_ takes _away_ access (does _not_ grant more).
That's what it is supposed to do. We are talking about bugs and unexpected behavior here. Are you claiming that a bug in kernel code can't have security implications?
Now no more "SELinux will open up more holes" non-sense! In the absolute worst case, you write an incorrect SELinux rule, just like you might accidentally write an incorrect IPTables rule. In _either_ case you do _not_ get "more holes" than if you had SELinux off, just like you do _not_ get "more holes" if you had _no_ IPTables rules. ;->
No, the worst case would be more like the bug affecting setuid handling fixed in kernel 2.2.16. How many years did it take to find that one?