[CentOS] [OT][Practices] The Case for RBAC/MAC -- SELinux is like NetFilter (please read)

Bryan J. Smith thebs413 at earthlink.net
Sat Nov 19 12:50:35 UTC 2005 

I keep hearing about alleged "bugs" and "holes" and possible "exploits"
for SELinux.  Please, _please_ understand that SELinux is like
NetFilter, a supervisory kernel subsystem that _only_ takes _away_
access (does _not_ grant more).

On Fri, 2005-11-18 at 10:41 -0800, Bryan J. Smith wrote:
> This is _far_ less likely.  Why?  RBAC/MAC doesn't "grant"
> access  by default.  It removes it!  RBAC/MAC is _not_ a
> "service" -- it's a kernel subsystem that removes access.
> 
> It's like saying the Linux NetFilter (which is used by
> IPTables for those that don't know) introduces vunerabilities
> into the IP stack.  NetFilter only _denies_ access, it does
> _not_ allow any "new" access!  @-p
> 
> That's something that people keep missing here.  RBAC/MAC is
> _not_ a "service" anymor ethan NetFilter is!  Sure, you can
> screw up your RBAC/MAC rules just like IPTables rules, but
> not any more than having _no_ rules!
> 
> [ Please, please tell me some lightbulbs out there went off?
> ;-]

Now no more "SELinux will open up more holes" non-sense!  In the
absolute worst case, you write an incorrect SELinux rule, just like you
might accidentally write an incorrect IPTables rule.  In _either_ case
you do _not_ get "more holes" than if you had SELinux off, just like you
do _not_ get "more holes" if you had _no_ IPTables rules.  ;->

[ Again, please tell me some lightbulbs went off?! ]

At this point, I could _care_less_ if some of you use SELinux out there.
But please stop with the technically inaccurate statements that SELinux
bugs could cause more holes than when SELinux disabled.  It's like
saying the wrong IPTables rule can cause more holes than with NetFilter
disabled and no IPTables rules at all (allow everything in/out)!


-- 
Bryan J. Smith   b.j.smith at ieee.org   http://thebs413.blogspot.com
-------------------------------------------------------------------
For everything else *COUGH*commercials*COUGH* there's "ManningCard"

-- 
Bryan J. Smith   b.j.smith at ieee.org   http://thebs413.blogspot.com
-------------------------------------------------------------------
For everything else *COUGH*commercials*COUGH* there's "ManningCard"

More information about the CentOS mailing list