[CentOS] selinux stuff - I just don't get

Peter Farrow peter at farrows.org
Mon Nov 14 14:12:13 UTC 2005


Furthermore,  why people believe adding complexity to a system  "makes 
it more secure" baffles me,

We enter into the realms of "security by obscurity", and Bill Gates' 
"bloat and crash ware" epitomises that....


Peter Farrow wrote:

> I agree Les,
>
> Selinux just adds bloat that we've managed without for many many years.
>
> Another layer of complexity to allow another layer of 
> holes/backdoors/exploits.
>
> NOT NEEDED!!!!
>
> Regards
>
> Pete
>
>
> Les Mikesell wrote:
>
>> On Mon, 2005-11-14 at 05:04, Tony wrote:
>>  
>>
>>> It always amazes me how quick people are to suggest that you just
>>> switch selinux off, without balancing the suggestion with an
>>> explanation of what they are losing by doing this.
>>>   
>>
>>
>> What you get without it is the well-understood unix permission
>> system that served everyone well for several decades.  Exploits
>> involving buggy code have happened, but If we've learned anything
>> along the way it is that adding new and less-tested code to a
>> working system doesn't necessarily make it more secure.
>>
>>  
>>
>>> Would you switch a firewall off because it keeps filling your log
>>> files up with packet info?  An English expression involving babies and
>>> bathwater springs to mind ;-)
>>>   
>>
>>
>> I'd need some reason to think that the firewall code was
>> less likely to be exploited than the rest of the system it
>> is supposed to be protecting to consider it important.
>>
>>  
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos





More information about the CentOS mailing list