selinux eradicator?

[Arthur Pemberton]

On 7/3/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote:
> Arthur Pemberton wrote:
> > On 6/28/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote:
> >
>
> [snip]
>
> >>
> >> A machine running current SELinux implementation is provably
> >> less secure in some senses than one which is not.
> >
> > I don't often agree with Rahul Sundaram, plus I get the feeling that
> > he doesn't like me. But I can't stand by and have you spreading this
> > kind of FUD, especially considering that you have admitted to _not_
> > using SELinux.
>
> No fear. No uncertainty. No doubt. If that's what you meant.
>
> > Please show some geek pride and not speak on this matter since by your
> > own admission you have no recent experience with it.
> >
> > Furthermore this claim of yours is extremely broad, and baseless.
>
> It is neither of those. If you wish to continue this, please take
> it to private e-mail.
>
> I already gave instances published by the US Government which
> demonstrate that machines which run SELinux are subject to attacks
> which would not otherwise have succeeded.

Thanks for brining my attention to that, went back through the thread
and found those links.

As I expected, all those exploits/bugs, require local account access.
I don't consider any system in which a local account is attacking the
systems integrity to be very secure, do you? I say that to show that,
in such a case, the presence of SELinux cannot be lowering the systems
security that much - the attacker already has local access.

Now, SELinux helps to prevent a remote attacker from getting local
access, and (as far as I know) it has no internet facing ports or
other connections.

So in a case where a machine is being used to host several local
accounts, and local multiuser usage, then I can accept that SELinux
adds vulnerabilities, but I even in that situation, I believe SELinux
adds (security) more than it removes.

-- 
Fedora Core 6 and proud