SElinux

Tue Apr 4 06:49:35 UTC 2006

Craig White wrote:
> On Sun, 2006-04-02 at 19:43 -0500, Les Mikesell wrote:
> 
>>On Sun, 2006-04-02 at 18:23, Craig White wrote:
>>
>>
>>>All of the discussion about gui
>>>tools is self serving attempts to provide a smoke screen to the basic
>>>issue...that the sysadmin doesn't want to commit the time and energy to
>>>learning how to deal with it. The logical extension that I add to that
>>>is this unwilling system admin is not professional and will take the
>>>easy road, much like failure to implement password policies discussed a
>>>few days ago, etc. as this behavior is endemic and not likely reserved
>>>to just selinux.
>>
>>Or, an equally valid view is that the sysadmin in question has
>>learned from experience that every new-and-different extension
>>to the basic unix system promoted by one or a few vendors has
>>historically not turned out to be necessary and sometimes
>>introduced new problems.  A wait-and-see attitude isn't such
>>a bad thing.  When it is proven, you might expect all distributions
>>to ship it.
> 
> ----
> Of course the only people who are making these types of arguments are
> those that haven't invested the time to figure it out. Where are the
> knowledgeable admins that have taken the time to understand SELinux and
> come to the conclusion that it is not of sufficient value to implement?

Well, Craig, I suppose that depends on how one defines "knowlegeable
admin". The truly knowlegeable ones are the ones who look out for
the company's bottom line, and trade off cost of compromise with
cost of administration. IMO, SELinux breaks more things than it
"fixes", and those truly interested in security provide it
via physical access, firewalls, and DMZs, not glorified ACLs.

One thing I used to remind my engineers (when I was technical lead)
was "if it isn't in the requirements spec, it doesn't go into
the software", because every line of code is one more place for
a defect to hide. So I'm sure that SELinux has a number of
exploitable defects itself.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!