SELinux removed from desktop cd spin?

Douglas McClendon dmc.fedora at filteredperception.org
Thu Jan 17 06:14:02 UTC 2008


Andrew Farris wrote:
> Douglas McClendon wrote:
>> <rant>
>>
>> I wish I could say that I'm sorry to crush your hopes, but I'm really 
>> not.  Despite what I've said in the past, I have the utmost respect 
>> for selinux and security.  But what I don't have any respect for is 
>> people of your mind, who myopically just see "increased security".  
>> People who view security that way IMO contribute to some of the worst 
>> cancers against humanity.
>>
>> This is just standard rhetoric that I shouldn't be wasting my time 
>> repeating here, but security is ALWAYS a balance and a tradeoff 
>> against other *values*, and never an absolute.
> 
> Sounds like politically charged nonsense, not rhetoric related to 
> computer security.
> 
>> When selinux is the right tool for the job, bringing a greater benefit 
>> to the system at hand than the costs involved with using it, then 
>> great.  But to claim that it should remain in "*all* of the fedora 
>> spins" is IMO utterly wrong, and a narrow vision of what fedora could 
>> be useful for.  There are times and applications where selinux is JUST 
>> NOT WORTH IT.  I'm not saying it's the majority of the time, or even 
>> >1%.  But if fedora is (to be) used in tens of millions of systems, 1% 
>> of that is actually a *significant* number.
>>
>> If only I could waterboard the fuck out of all the loyal bushies that 
>> see "national security" as the *only* value to be measured when making 
>> a decision.
> 
> Humanity and liberty are so important to you that you want to torture 
> people (and evidently not to gather information because you know it 
> already).  Clearly we're learning something here.
> 
>> There are times when you let innocent people die and get hurt by 
>> terrorists, because the values sacrificed in making a decision that 
>> could and does stop the terrorists, are MORE IMPORTANT than a narrow 
>> short term view of "national security".
> 
> "Essential Liberty vs. Temporary Freedom".  Yes, liberty is important, 
> but largely unrelated to whether you have selinux present in your 
> favorite spin.
> 
> SELinux *should* be in every official Fedora spin, especially those to 
> be used on networked computer systems.  But it should also be possible 
> to turn it off and/or uninstall it, and be possible to build custom 
> packages for embedded processing applications without it... but if I 
> want an embedded linux with selinux enabled why shouldn't it be there 
> available?

Since I love politically charged discussions-  What you just said is 
similar to the logical difference between

a) not mandating that evolution to be taught as a theory in schools

vs

b) mandating that evolution not be taught as a theory in schools.

I.e., I whole heartedly agree with you that if you want an embedded 
linux with selinux enabled, it SHOULD be available.

But my holding that opinion does not change the fact that I also hold 
the opinion that at some point down the road, there should be an 
official fedora spin that comes with selinux disabled.

Clearly since I work on livecd-tools and the like, I am all for making 
it as easy as possible to create variants.

But really, since I know how easy it is to just spin a distro of linux 
wiht 99.9999% the same code base as fedora, that just isn't called 
fedora, I don't *REALLY* care about this technical issue very much, and 
I *REALLY* was just doing some soapboxing.  But I think the political 
and technical points I made (computer security, national security) are 
not so disjoint that it is useless to speak of them in the same breath.


> 
> Choice (somehow related to Liberty in your rant) does not mean you get 
> to choose what is present all the time, it means you get to choose 
> whether to use it or not.  The presence of selinux does not infringe on 
> your 'choice'.  The preference of one person to have it in all spins 
> does not infringe on your 'choice'.  More importantly, the desire of 
> some to improve computer security around the globe does not prevent you 
> from running open boxes with blank root passwords... the choice is yours 
> how insecure you want it.

I agree with every bit of that.  Not sure what you thought I meant that 
was different.

> 
>> I sincerely hope that what I've said will cause you to think a little 
>> more before uttering "I hope everyone agrees with me that more 
>> security is always better" again.  But I welcome you to crush my hopes 
>> as I've just crushed yours.
> 
> SELinux can and very likely will protect computer systems for 
> terrorist's use just as easily as anyone else, since it is 1) free, 2) 
> available to the entire known universe; it therefore has nothing 
> whatsoever to do with US national security in the context of your 
> 'rhetoric' and poorly argued politics.

I was really talking about whether the choice to use torture to improve 
national security, without considering the other values lost in the 
decision, was a wise one to make.

The parallel was whether or not the choice to *ALWAYS* use selinux to 
improve computer security, without considering the other values 
(bloat/performance degradation/user frustration), was not a wise one to 
make.

But sometimes the subtlety of my logic goes over people's heads.

-dmc




More information about the devel mailing list