SELINUX - Why?

Wed Jul 27 23:17:11 UTC 2005

Les Mikesell wrote:

[about selinux]

> 
> I'd consider it more like airbags. They are turning out to be a good
> thing overall but they have accidentally killed a few people too.
> 

How apropos. The inventor of airbags has applied for a patent
on airbag's use as a means of execution of criminals.

AIUI, selinux allows one to specify what kind of access what
kinds of entities on my computer may have (presuming that it
works correctly). So, if someone can get a program on my machine
which runs suid to root, then presumably selinux can limit
or mitigate to some extent what damage it might do.

OTOH, if a program can run suid root, then it can also change
selinux policy.

So?

The more programs, the more places where defect may lurk.

I guess that the upshot is, there is no *compelling* reason
to run it. Some may feel safer using it. Others may not.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!