[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Peter Farrow peter at farrows.org
Mon Nov 21 17:12:35 UTC 2005 

Lamar Owen has pointed out to me that the humour angle on my replies may 
have been lost in the email process, indeed certainly so by the email 
Lamar has sent me off list.

So just to get this straight,  my emails have never intended to be rude 
or putting people down, to that end I will extend an aology to you 
"Johnny hughes", if I offended you.

And thanks for your latest comment on the SElinux.

Regards

Pete


Lamar Owen wrote:

>On Monday 21 November 2005 07:38, Brian T. Brunner wrote:
>  
>
>>What I read is that SELinux is still 'beta',
>>    
>>
>
>The SELinux kernel module itself is beyond beta.  The policies might be beta 
>quality, and the documentation needs work for sure; but, pray tell, what in 
>the typical Linux distribution is NOT beta?  Think carefully before you 
>answer, and think about what is meant by beta (since some here enjoy 
>splitting hairs; I'll split them, too, as I have actually taught 
>college-level English (even to the point of teaching that there is no such 
>thing as 'correct' English; there are conventions, styleguides, and the like, 
>but there is no such thing as 'perfect' English;  the hardest things for a 
>student to learn is that the dictionary is not an authority on word meaning, 
>and that the basic unit of English meaning is not the word, but the 
>sentence)).
>
>  
>
>>and while the need for good 
>>security is decades old, we (CentOS/RHEL folks) should not be presumed
>>to be willing beta testers.  "Enabled by default" presumes I'm willing.
>>    
>>
>
>Assuming SELinux is beta.  But, again, what else are you running that really 
>is beta?  Are you using Open SSL (for ssh or sasl or https)?  Guess what: 
>OpenSSL is not only beta but has an API that changes within minor releases 
>(and with the facial expressions of its developers... or, at least, that's 
>how it looks).  And a crypto bug in SSL would be much worse than any imagined 
>bug in SELinux.  
>
>Further, the package that started all this, dbus, is also beta (judging by 
>version number, as that is a standard metric, or at least the most standard 
>of the metrics available).  
>
>Run GNOME?  The esound system under GNOME is still at a version less than 1.0.  
>
>YOUR BOOTLOADER, GRUB, IS BETA (version 0.95). And GRUB has produced the 
>single largest volume of complaints about the upstream distributor's 
>policies, that is, of getting rid of LILO, which was not beta.
>
>The hardware abstraction layer, hal, is beta.  
>
>The hotplug interface appears to be a particular CVS snapshot, not even a 
>beta.  
>
>Using ipsec-tools?  It's beta too.  
>
>Using ethereal?  The libpcap underneath is beta (again, by the version number 
>of 0.8.3), and security bugs have been found in libpcap of a serious nature.  
>
>Humph, libusb is alpha, not even beta (I use this heavily when using my 
>Universal Software radio Peripheral (USRP), part of the GNUradio project).  
>
>The Omni print driver subsystem is beta.  
>
>YOUR AUTHENTICATION SUBSYSTEM, PAM, IS BETA (again, judging by the version 
>number)!  
>
>The prelink subsystem, which touches every single executable file on the 
>system as root, is BETA.  
>
>There are others, but these are important, and could impact security in a big 
>way.
>
>And you're worried about SELinux being beta? 
>  
>

More information about the CentOS mailing list