[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux



On Wed, 2 Jul 2008, Alan Cox wrote:

> Knowing what it is isn't sufficient - they must know enough to make a meaningful
> risk analysis fo the decision. Very few users I suspect are in that position.

This is quite a significant problem, as people tend to underestimate 
negative risk and overestimate positive risk (according to "Prospect 
Theory").

And as the odds increase in each direction, people increasingly mis-judge 
them.  e.g. people believe they'll win the lottery but figure they don't 
need a motorcycle helmet.

Bruce Schneier recently discussed the topic:
http://www.schneier.com/blog/archives/2008/05/how_to_sell_sec.html

The only way to really make progress in improving security is to make it a 
standard part of the computing landscape; for it to be ubiquitous and 
generalized, which is the aim of the SELinux project.

Having a separate "secure" version or option will not work, as proven many 
times over with the trusted Unix variants which are essentially forks of 
their respective mainline products.

Avoiding the whole issue will also not work, as DAC security simply cannot 
provide adequate protection in a globally networked environment.  The 
rationale for MAC has been made very clear in an NSA paper, the reading of 
which I think is essential for any informed discussion on the issue:

http://www.nsa.gov/selinux/papers/inevitability/

Punting the decision to the end user during installation is possibly the 
worst option.  It's our responsibility as the developers of the OS to both 
get security right and make it usable.  It's difficult, indeed, but not 
impossible.



- James
-- 
James Morris
<jmorris namei org>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]