SElinux

[Mike McCarty]

Matthew Saltzman wrote:
> On Mon, 3 Apr 2006, Robert Nichols wrote:
> 
>> Craig White wrote:
>>
>>> The policy updates from Fedora have been frequent and are automatically
>>> installed/applied
>>
>>
>> True, and they might even be workable on a system that is set up
>> with 100% standard file system structure and users whose interaction
>> with the OS is limited to clicking on icons.  Add a separate
>> filesystem for large downloaded files or have a user that uses the
>> (gasp!) command line to do bizarre things like redirect the output
>> from ping onto a file in his home directory and SELinux starts
>> blocking you at every turn unless you can spend the time to become
>> an SELinux guru and figure out what needs to be tweaked in the
>> policy or attributes to fix things _this_ time, and try to guess
>> how badly that change will break when tomorrow's policy update gets
>> installed.
> 
> 
> This (blocking redirected pings) seemed bizarre to me, so I brought it 
> up on the fedora-selinux list.
> 
> Good News: I had the resolution in about 45 minutes.
> 
> Bad News (maybe): It's apparently an actual bug.  I will bugzilla later 
> if Robert doesn't relent and do it first.
> 
> Sort-of Good News: Once it's fixed, that issue will be resolved, 
> presumably for good.

Bad news: SELinux is *itself* something which reduces security.
The more code you load, the more exploitable defects get loaded.
And SELinux isn't small.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!