[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Les Mikesell lesmikesell at gmail.com
Sat Nov 19 21:10:22 UTC 2005

On Sat, 2005-11-19 at 14:02, Lamar Owen wrote:
> So much for older and simpler is
> better; why don't we go back to VMS?  It's substantially more secure than
> Linux (the Linux kernel and heritage is not 30 years old, because Linux is
> not Unix).

The VMS model isn't older and simpler than unix - it is more complex and
around the same age.  The unix model was intentionally simplified by
someone familiar with Multics, an older and much more complicated
system.  People have had a choice between VMS and unix for a long time
and VMS found a very small niche of popularity.  Linux may not be unix
but it's design goal was to provide the same api - and for good reasons.

> > The mechanism was there all along, the policy wasn't - and the policy
> > didn't belong in the kernel.
> Sure, the policy of chroot is indeed in the kernel, and the kernel
> enforces the chroot, no?  

No, the kernel provides the mechanism of chroot, and has more or less
forever.  A policy of using it or not is left up to you.  Simplicity
in the kernel.

> The other typical answer to exploits is firewalling: pray tell where that
> policy is enforced.

The best place is on a separate box from anything that it should be

  Les Mikesell
    lesmikesell at gmail.com

More information about the CentOS mailing list