I keep hearing about alleged "bugs" and "holes" and possible "exploits" for SELinux. Please, _please_ understand that SELinux is like NetFilter, a supervisory kernel subsystem that _only_ takes _away_ access (does _not_ grant more).
On Fri, 2005-11-18 at 10:41 -0800, Bryan J. Smith wrote:
This is _far_ less likely. Why? RBAC/MAC doesn't "grant" access by default. It removes it! RBAC/MAC is _not_ a "service" -- it's a kernel subsystem that removes access.
It's like saying the Linux NetFilter (which is used by IPTables for those that don't know) introduces vunerabilities into the IP stack. NetFilter only _denies_ access, it does _not_ allow any "new" access! @-p
That's something that people keep missing here. RBAC/MAC is _not_ a "service" anymor ethan NetFilter is! Sure, you can screw up your RBAC/MAC rules just like IPTables rules, but not any more than having _no_ rules!
[ Please, please tell me some lightbulbs out there went off? ;-]
Now no more "SELinux will open up more holes" non-sense! In the absolute worst case, you write an incorrect SELinux rule, just like you might accidentally write an incorrect IPTables rule. In _either_ case you do _not_ get "more holes" than if you had SELinux off, just like you do _not_ get "more holes" if you had _no_ IPTables rules. ;->
[ Again, please tell me some lightbulbs went off?! ]
At this point, I could _care_less_ if some of you use SELinux out there. But please stop with the technically inaccurate statements that SELinux bugs could cause more holes than when SELinux disabled. It's like saying the wrong IPTables rule can cause more holes than with NetFilter disabled and no IPTables rules at all (allow everything in/out)!