[CentOS] [OT][Practices] The Case for RBAC/MAC

Fri Nov 18 17:47:58 UTC 2005
Les Mikesell <lesmikesell at gmail.com>

On Fri, 2005-11-18 at 08:53, Bryan J. Smith wrote:

> Yet according to him, people like you and I who are implementing SELinux
> in the same environments, we're doing it all-for-not!  That's simply not
> true!  And I agree, remote systems are _ideal_ for RBAC/MAC.

Well, it may or may not be true.  It is certainly well-intentioned, but
we are talking about bugs and unexpected behavior here which by
definition aren't predictable.  You may, by adding extra layers
of security, protect against some flaw that will turn up even in
the simple, well understood existing programming.  Or, you may,
by adding extra layers of complexity and less-tested code, introduce
new vulnerabilities that no one understands yet.  And even more
likely, by making normal operations more difficult, you set up
the authorized users to need more outside help and more chances for
social engineering efforts to steal their credentials.  

-- 
  Les Mikesell
   lesmikesell at gmail.com