SElinux

Tim ignored_mailbox at yahoo.com.au
Tue Apr 4 12:18:57 UTC 2006


On Tue, 2006-04-04 at 01:49 -0500, Mike McCarty wrote:
> One thing I used to remind my engineers (when I was technical lead)
> was "if it isn't in the requirements spec, it doesn't go into
> the software", because every line of code is one more place for
> a defect to hide. So I'm sure that SELinux has a number of
> exploitable defects itself.

I wouldn't be completely surprised, most things seem to have some flaw.

I think it does have one defect already; people having too much faith in
it.  If you're not careful, you'll think you're safe simply because it's
there, like some people feel about their firewalls,
anti-virus/spyware/trojan/whatever software.  "Chroot" was seen as the
answer to all problems by some a while ago, and it didn't quite live up
to expectations.

They all have a tendency to cause another problem:  Those who create
exploitable software being less concerned about making their software
safer, because they consider that something else will watch their back.

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




More information about the users mailing list