[CentOS] SELinux threads, cynicism, one-upmanship, etc.
peter at farrows.org
Fri Nov 25 23:09:31 UTC 2005
Some you seem to be drowning in the "complex=secure" scenario.
SELinux adds complexity, the biggest dangers in computer hacking come
from within your own network.
90% of hacking jobs are in house as the statistics show.
SELinux makes security complex and bloat like, the same thing that makes
Windows insecure, this makes the admin job harder, which will lead to
mistakes, which will make it hard to find holes, which will inevitably
lead to a less secure system.... QED.
Perhaps all of you that _LOVE_ SElinux so much should branch off to a
new flavour of Linux,
I propose that you name it BloatOS,
Just keep it well away from me.
My boxes have SELinux=disabled on all of them (thats a big number by the
I don't need it, those sysadmins who feel they need to use, sure go
ahead and use it, but please don't take the morale high ground saying
using it is definately better and more secure, because I find that kind
of talk irritating because it is so wrong.
One thing is for sure, SELinux slows the box down, which perhaps you
could start arguing that "aah yes the box is so much slower now, it wil
take a hacker longer to get in - hey SElinux really is secure for that
reason alone" -- ROTFLOL....
I think you should rename this thread BloatOS.
You could then write shell script called "unbloat" or "speedup"
I propose it contains
rpm -e libselinux-1.19.1-7 selinux-policy-targeted-1.17.30-2.110
Maybe that too has some marketing mileage, you could sell this script as
a box performance enhancer,
Les Mikesell wrote:
>On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
>>Maybe I'm wrong, but I think any admin needs to experience having their box
>>cracked. It will produce the humbleness necessary to the trade, because
>>overconfidence is dangerous.
>Yes, but when the box gets cracked _because_ they are using the
>latest new thing their distribution added under the guise of
>increased security, as happened with ssh a while back, it
>also produces the attitude that new stuff should soak a long,
>long while in a distribution like fedora before going onto
>production boxes. You want to at least wait until the surprises
>stop - and I take the flurry of reports of broken apps at
>every update as an indication that they haven't stopped yet.
>Your analogy to a weapon was a good one. When the experts
>tuning the distribution still can't keep it from blowing
>up in peoples's faces some of the time, normal people should
>keep their distance. When the fedora and Centos lists go
>several months without a mysterious app failure caused by
>SELinux it will be time to reconsider.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the CentOS