[CentOS] SELinux threads, cynicism, one-upmanship, etc.
Lamar Owen
lowen at pari.edu
Mon Nov 21 17:02:10 UTC 2005
On Monday 21 November 2005 07:38, Brian T. Brunner wrote:
> What I read is that SELinux is still 'beta',
The SELinux kernel module itself is beyond beta. The policies might be beta
quality, and the documentation needs work for sure; but, pray tell, what in
the typical Linux distribution is NOT beta? Think carefully before you
answer, and think about what is meant by beta (since some here enjoy
splitting hairs; I'll split them, too, as I have actually taught
college-level English (even to the point of teaching that there is no such
thing as 'correct' English; there are conventions, styleguides, and the like,
but there is no such thing as 'perfect' English; the hardest things for a
student to learn is that the dictionary is not an authority on word meaning,
and that the basic unit of English meaning is not the word, but the
sentence)).
> and while the need for good
> security is decades old, we (CentOS/RHEL folks) should not be presumed
> to be willing beta testers. "Enabled by default" presumes I'm willing.
Assuming SELinux is beta. But, again, what else are you running that really
is beta? Are you using Open SSL (for ssh or sasl or https)? Guess what:
OpenSSL is not only beta but has an API that changes within minor releases
(and with the facial expressions of its developers... or, at least, that's
how it looks). And a crypto bug in SSL would be much worse than any imagined
bug in SELinux.
Further, the package that started all this, dbus, is also beta (judging by
version number, as that is a standard metric, or at least the most standard
of the metrics available).
Run GNOME? The esound system under GNOME is still at a version less than 1.0.
YOUR BOOTLOADER, GRUB, IS BETA (version 0.95). And GRUB has produced the
single largest volume of complaints about the upstream distributor's
policies, that is, of getting rid of LILO, which was not beta.
The hardware abstraction layer, hal, is beta.
The hotplug interface appears to be a particular CVS snapshot, not even a
beta.
Using ipsec-tools? It's beta too.
Using ethereal? The libpcap underneath is beta (again, by the version number
of 0.8.3), and security bugs have been found in libpcap of a serious nature.
Humph, libusb is alpha, not even beta (I use this heavily when using my
Universal Software radio Peripheral (USRP), part of the GNUradio project).
The Omni print driver subsystem is beta.
YOUR AUTHENTICATION SUBSYSTEM, PAM, IS BETA (again, judging by the version
number)!
The prelink subsystem, which touches every single executable file on the
system as root, is BETA.
There are others, but these are important, and could impact security in a big
way.
And you're worried about SELinux being beta?
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the CentOS
mailing list