On 8 Jan 2014, at 2:04 am, "m.roth(a)5-cent.us"
<m.roth(a)5-cent.us> wrote:
Here's one for the selinux list: a thread just started on the CentOS list,
about whether the encryption tools from upstream were trustworthy, given
the revelations from Snowdon in the last six months. That, of course,
leads to the question as to whether selinux, and its base policies, are
trustworthy, given they were written by the NSA....
So, why *should* we trust it?
mark "no, I do not have the time or energy to audit and comprehend
the
implications of all of selinux's policies myself"
You and I both know using a mandatory access control is the best way of hardening an OS
and I've yet to see a better one than SELinux.
Even if you don't trust it, SELinux can without a shadow of doubt *significantly*
mitigate the risk associated with compromise (by non-government agencies), which is worth
the time and energy in itself. If what we have heard is true, it doesn't matter who
you are, where you live or what technologies you use, those organisations will access your
systems and collect data as they see fit within their political mandate.
In my humble opinion, turning SELinux "off" would be foolish. It's still
there in the kernel, potentially providing the hypothetical backdoors talked about, but
now you're more vulnerable to the *malicious* non-government groups.
Cheers,
Doug