10:04 a.m.
Here's one for the selinux list: a thread just started on the CentOS list,
about whether the encryption tools from upstream were trustworthy, given
the revelations from Snowdon in the last six months. That, of course,
leads to the question as to whether selinux, and its base policies, are
trustworthy, given they were written by the NSA....
So, why *should* we trust it?
mark "no, I do not have the time or energy to audit and comprehend
the
implications of all of selinux's policies myself"
10:06 a.m.
On Tue, 7 Jan 2014 11:04:33 -0500
m.roth(a)5-cent.us wrote:
So, why *should* we trust it?
The choice is your to use or not use.
Otherwise they can clone my pc for all I care.
___
Regards,
Frank
www.frankly3d.com
10:32 a.m.
Frank Murphy wrote:
On Tue, 7 Jan 2014 11:04:33 -0500
m.roth(a)5-cent.us wrote:
> So, why *should* we trust it?
The choice is your to use or not use.
Otherwise they can clone my pc for all I care.
Of course, RH, and all its descendants, like CentOS and Scientific Linux,
have it enabled by default on a basic install. For one thing, I turned it
to permissive when I just rebuilt my system at home, and have no intention
of enforcing - it drives me crazy enough at work, and if they want to read
my email or personal stuff, they need to come in with a warrant (I use
pop3, not imap)
At work... we do have HIPAA and PII data on some machines, and so that
*is* a concern - the NSA should *not* be looking at that stuff.
mark
10:48 a.m.
On Tue, Jan 07, 2014 at 11:04:33 -0500,
m.roth(a)5-cent.us wrote:
Here's one for the selinux list: a thread just started on the
CentOS list,
about whether the encryption tools from upstream were trustworthy, given
the revelations from Snowdon in the last six months. That, of course,
leads to the question as to whether selinux, and its base policies, are
trustworthy, given they were written by the NSA....
So, why *should* we trust it?
The code was looked at by other kernel developers. There are already plenty
of kernel bugs being found, I don't think the risk of using the selinux code
is significantly higher than using the rest of the kernel.
Selinux itself, isn't doing anything secret. At its heart it's a pretty
simple system.
12:44 p.m.
On 8 Jan 2014, at 2:04 am, "m.roth(a)5-cent.us"
<m.roth(a)5-cent.us> wrote:
Here's one for the selinux list: a thread just started on the CentOS list,
about whether the encryption tools from upstream were trustworthy, given
the revelations from Snowdon in the last six months. That, of course,
leads to the question as to whether selinux, and its base policies, are
trustworthy, given they were written by the NSA....
So, why *should* we trust it?
mark "no, I do not have the time or energy to audit and comprehend
the
implications of all of selinux's policies myself"
You and I both know using a mandatory access control is the best way of hardening an OS
and I've yet to see a better one than SELinux.
Even if you don't trust it, SELinux can without a shadow of doubt *significantly*
mitigate the risk associated with compromise (by non-government agencies), which is worth
the time and energy in itself. If what we have heard is true, it doesn't matter who
you are, where you live or what technologies you use, those organisations will access your
systems and collect data as they see fit within their political mandate.
In my humble opinion, turning SELinux "off" would be foolish. It's still
there in the kernel, potentially providing the hypothetical backdoors talked about, but
now you're more vulnerable to the *malicious* non-government groups.
Cheers,
Doug
3762
days inactive
3762
days old
selinux@lists.fedoraproject.org
4 comments
4 participants
participants (4)
-
Bruno Wolff III -
Douglas Brown -
Frank Murphy -
mark