[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Lamar Owen lowen at pari.edu
Mon Nov 21 17:02:10 UTC 2005 

On Monday 21 November 2005 07:38, Brian T. Brunner wrote:
> What I read is that SELinux is still 'beta',

The SELinux kernel module itself is beyond beta.  The policies might be beta 
quality, and the documentation needs work for sure; but, pray tell, what in 
the typical Linux distribution is NOT beta?  Think carefully before you 
answer, and think about what is meant by beta (since some here enjoy 
splitting hairs; I'll split them, too, as I have actually taught 
college-level English (even to the point of teaching that there is no such 
thing as 'correct' English; there are conventions, styleguides, and the like, 
but there is no such thing as 'perfect' English;  the hardest things for a 
student to learn is that the dictionary is not an authority on word meaning, 
and that the basic unit of English meaning is not the word, but the 
sentence)).

> and while the need for good 
> security is decades old, we (CentOS/RHEL folks) should not be presumed
> to be willing beta testers.  "Enabled by default" presumes I'm willing.

Assuming SELinux is beta.  But, again, what else are you running that really 
is beta?  Are you using Open SSL (for ssh or sasl or https)?  Guess what: 
OpenSSL is not only beta but has an API that changes within minor releases 
(and with the facial expressions of its developers... or, at least, that's 
how it looks).  And a crypto bug in SSL would be much worse than any imagined 
bug in SELinux.  

Further, the package that started all this, dbus, is also beta (judging by 
version number, as that is a standard metric, or at least the most standard 
of the metrics available).  

Run GNOME?  The esound system under GNOME is still at a version less than 1.0.  

YOUR BOOTLOADER, GRUB, IS BETA (version 0.95). And GRUB has produced the 
single largest volume of complaints about the upstream distributor's 
policies, that is, of getting rid of LILO, which was not beta.

The hardware abstraction layer, hal, is beta.  

The hotplug interface appears to be a particular CVS snapshot, not even a 
beta.  

Using ipsec-tools?  It's beta too.  

Using ethereal?  The libpcap underneath is beta (again, by the version number 
of 0.8.3), and security bugs have been found in libpcap of a serious nature.  

Humph, libusb is alpha, not even beta (I use this heavily when using my 
Universal Software radio Peripheral (USRP), part of the GNUradio project).  

The Omni print driver subsystem is beta.  

YOUR AUTHENTICATION SUBSYSTEM, PAM, IS BETA (again, judging by the version 
number)!  

The prelink subsystem, which touches every single executable file on the 
system as root, is BETA.  

There are others, but these are important, and could impact security in a big 
way.

And you're worried about SELinux being beta? 
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu

More information about the CentOS mailing list