SELinux last straw

Arthur Pemberton pemboa at gmail.com
Thu Oct 18 14:33:18 UTC 2007


On 10/18/07, Les Mikesell <lesmikesell at gmail.com> wrote:

> The place it can hurt is if it causes enough problems that some number
> of users don't don't upgrade to the versions that use it or don't do
> timely updates because they have a history of introducing new problems.
>   This drops your first and best line of defense.

Les, please... this is a public list. Do not spread FUD... there is no
history of SELinux updates causing problems.

> > In a corporate environment it's obviously very different.  Using
> > different means of access control, using other layers of security such
> > as SELinux, implementing physical security measures, are all things
> > that need to be done, and properly.
>
> If you are introducing Linux as something new you can do that.
> Otherwise you have to be very careful not to break existing programs and
> infrastructure with changes and updates.

I don't see why there should be a requirement of being new.

> > I read somewhere online a while back where they hooked up various
> > unpatched Windows systems (different generations of it) and unpatched
> > Linux systems (don't remember the distros) to the web totally
> > unprotected.  The various Windows versions were all compromised within
> > minutes to hours.  None of the Linux ones were.  However when all the
> > updates were applied to these boxes none of them were compromised (no
> > Windows boxes and no Linux boxes).


> If you want a distribution to be more secure in actual use, you have to
> make it painless to update and never break anything that previously
> worked - otherwise some number of people just won't do it.

You do realise that there are different distros, and each has their
niche. Fedora's niche is being fast pace, some would argue not fast
enough.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )




More information about the users mailing list