SElinux

[Mike McCarty]

Craig White wrote:
> On Mon, 2006-04-03 at 10:25 +0200, Eugen Leitl wrote:
> 
>>On Mon, Apr 03, 2006 at 12:34:07AM -0700, Craig White wrote:
>>
>>
>>>if Windows exploits are any indication, it is primarily desktop systems
>>>which are the target for malware that infects the system for nefarious
>>
>>No disagreement.
>>
>>
>>>purposes. Why? Because the users are often not knowledgeable, run with
>>>elevated privileges, travel to web sites that attempt every conceivable
>>>exploit in a plethora of scripting languages, etc.
>>
>>Yes. But more packages -- more opportunities for SELinux/RSBAC/grsecurity
>>to break your system. If a user has to choose between a secure or a functional
>>system, he will choose the one that works.
>> 
>>
>>>The policy updates from Fedora have been frequent and are automatically
>>>installed/applied
>>
>>Empirically, I had SELinux breaking services on my desktop. It is
>>hard enough to keep the system running in Fedora Core land as it is.
>>No need to extra handicap.
>>
>>It is reasonable for a sysadmin to craft and review security policy
>>on a stable (=static) server with few packages installed and few 
>>services offered. Especially, if you're paid to do it.
>>
>>Trying to do this on a rapidly evolving desktop with a rich set
>>of packages, most of them pulled in from a dozen of depositories
>>run by people with not very high stability standards (FC is bleeding
>>edge, after all) is a) not something most people enjoy b) takes
>>more time that most people have, especially if it's a hobby.
> 
> ----
> I guess it's a throw out the baby with the bathwater thing.

[snip]

I consider it throwing out the hogwash. IMO, SELinux is a
wrong-headed approach to security.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!