[CentOS] [OT][Practices] The Case for RBAC/MAC -- SELinux is like NetFilter (please read)

Sat Nov 19 18:03:57 UTC 2005
Les Mikesell <lesmikesell at gmail.com>

On Sat, 2005-11-19 at 06:50, Bryan J. Smith wrote:
> I keep hearing about alleged "bugs" and "holes" and possible "exploits"
> for SELinux.  Please, _please_ understand that SELinux is like
> NetFilter, a supervisory kernel subsystem that _only_ takes _away_
> access (does _not_ grant more).

That's what it is supposed to do.  We are talking about bugs and
unexpected behavior here.  Are you claiming that a bug in
kernel code can't have security implications?

> Now no more "SELinux will open up more holes" non-sense!  In the
> absolute worst case, you write an incorrect SELinux rule, just like you
> might accidentally write an incorrect IPTables rule.  In _either_ case
> you do _not_ get "more holes" than if you had SELinux off, just like you
> do _not_ get "more holes" if you had _no_ IPTables rules.  ;->

No, the worst case would be more like the bug affecting setuid
handling fixed in kernel 2.2.16.  How many years did it take
to find that one? 

-- 
   Les Mikesell
     lesmikesell at gmail.com