pemboa at gmail.com
Tue Jul 3 18:46:02 UTC 2007
On 6/28/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote:
> Rahul Sundaram wrote:
> > Mike McCarty wrote:
> >> No, that was not my argument. My argument is that people are
> >> commenting from a position of conjecture. There is no scientific
> >> conclusive study showing that SELinux unarguably improves
> >> security of machines.
> > There is. SELinux is MAC security framework and is based on scientific
> > studies over decades which clearly show their advantages. Again read
> > some of the work at NSA SElinux site.
> Mandatory Access Control is not a thing, it is a technique. SELinux
> is a thing, which may or may not be a good implementation of MAC.
> >> Not one attack on my machine has made it past my router. Not one.
> >> My router sometimes logs thousands of attempts per month. I've been
> >> running since about October 2005. I'd say it's pretty debatable that my
> >> machine would be more secure with SELinux enabled.
> > A machine running SELinux enabled is provably more secure than a machine
> > running merely a firewall or router. They are not comparable security
> > technologies.
> A machine running current SELinux implementation is provably
> less secure in some senses than one which is not.
I don't often agree with Rahul Sundaram, plus I get the feeling that
he doesn't like me. But I can't stand by and have you spreading this
kind of FUD, especially considering that you have admitted to _not_
Please show some geek pride and not speak on this matter since by your
own admission you have no recent experience with it.
Furthermore this claim of yours is extremely broad, and baseless.
[ snip ]
> > It is a fact because actual development work is being done on these user
> It is faith that SELinux will survive at all.
How faith entered into a thread about software I have on idea.
> > So again, completely removing all SELinux libraries (as opposed to
> > merely turning it off) is very intrusive and significant amount of
> > effort that does not offer any significant advantages but if you want
> > really want to put the effort and send patches you are welcome to do so.
> > It is certainly easier than creating a different spin however which you
> > were advocating for.
> Erm, ADDING SELinux was an intrusive effort, which is now difficult
> to undo.
My thanks to all those who worked, and continue to work on SELinux
Fedora Core 6 and proud
More information about the users