Request to re-add option to disable SELinux
James Morris
jmorris at namei.org
Thu Jul 3 01:29:07 UTC 2008
On Wed, 2 Jul 2008, Alan Cox wrote:
> Knowing what it is isn't sufficient - they must know enough to make a meaningful
> risk analysis fo the decision. Very few users I suspect are in that position.
This is quite a significant problem, as people tend to underestimate
negative risk and overestimate positive risk (according to "Prospect
Theory").
And as the odds increase in each direction, people increasingly mis-judge
them. e.g. people believe they'll win the lottery but figure they don't
need a motorcycle helmet.
Bruce Schneier recently discussed the topic:
http://www.schneier.com/blog/archives/2008/05/how_to_sell_sec.html
The only way to really make progress in improving security is to make it a
standard part of the computing landscape; for it to be ubiquitous and
generalized, which is the aim of the SELinux project.
Having a separate "secure" version or option will not work, as proven many
times over with the trusted Unix variants which are essentially forks of
their respective mainline products.
Avoiding the whole issue will also not work, as DAC security simply cannot
provide adequate protection in a globally networked environment. The
rationale for MAC has been made very clear in an NSA paper, the reading of
which I think is essential for any informed discussion on the issue:
http://www.nsa.gov/selinux/papers/inevitability/
Punting the decision to the end user during installation is possibly the
worst option. It's our responsibility as the developers of the OS to both
get security right and make it usable. It's difficult, indeed, but not
impossible.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-devel-list
mailing list