[CentOS] [OT][Practices] The Case for RBAC/MAC -- SELinux is like NetFilter (please read)

Les Mikesell lesmikesell at gmail.com
Sat Nov 19 18:03:57 UTC 2005

On Sat, 2005-11-19 at 06:50, Bryan J. Smith wrote:
> I keep hearing about alleged "bugs" and "holes" and possible "exploits"
> for SELinux.  Please, _please_ understand that SELinux is like
> NetFilter, a supervisory kernel subsystem that _only_ takes _away_
> access (does _not_ grant more).

That's what it is supposed to do.  We are talking about bugs and
unexpected behavior here.  Are you claiming that a bug in
kernel code can't have security implications?

> Now no more "SELinux will open up more holes" non-sense!  In the
> absolute worst case, you write an incorrect SELinux rule, just like you
> might accidentally write an incorrect IPTables rule.  In _either_ case
> you do _not_ get "more holes" than if you had SELinux off, just like you
> do _not_ get "more holes" if you had _no_ IPTables rules.  ;->

No, the worst case would be more like the bug affecting setuid
handling fixed in kernel 2.2.16.  How many years did it take
to find that one? 

   Les Mikesell
     lesmikesell at gmail.com

More information about the CentOS mailing list