On Sat, 2005-11-19 at 06:50, Bryan J. Smith wrote: > I keep hearing about alleged "bugs" and "holes" and possible "exploits" > for SELinux. Please, _please_ understand that SELinux is like > NetFilter, a supervisory kernel subsystem that _only_ takes _away_ > access (does _not_ grant more). That's what it is supposed to do. We are talking about bugs and unexpected behavior here. Are you claiming that a bug in kernel code can't have security implications? > Now no more "SELinux will open up more holes" non-sense! In the > absolute worst case, you write an incorrect SELinux rule, just like you > might accidentally write an incorrect IPTables rule. In _either_ case > you do _not_ get "more holes" than if you had SELinux off, just like you > do _not_ get "more holes" if you had _no_ IPTables rules. ;-> No, the worst case would be more like the bug affecting setuid handling fixed in kernel 2.2.16. How many years did it take to find that one? -- Les Mikesell lesmikesell at gmail.com