[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux eradicator?



On 7/3/07, Mike McCarty <Mike McCarty sbcglobal net> wrote:
Arthur Pemberton wrote:
> On 6/28/07, Mike McCarty <Mike McCarty sbcglobal net> wrote:
>

[snip]

>>
>> A machine running current SELinux implementation is provably
>> less secure in some senses than one which is not.
>
> I don't often agree with Rahul Sundaram, plus I get the feeling that
> he doesn't like me. But I can't stand by and have you spreading this
> kind of FUD, especially considering that you have admitted to _not_
> using SELinux.

No fear. No uncertainty. No doubt. If that's what you meant.

> Please show some geek pride and not speak on this matter since by your
> own admission you have no recent experience with it.
>
> Furthermore this claim of yours is extremely broad, and baseless.

It is neither of those. If you wish to continue this, please take
it to private e-mail.

I already gave instances published by the US Government which
demonstrate that machines which run SELinux are subject to attacks
which would not otherwise have succeeded.

Thanks for brining my attention to that, went back through the thread
and found those links.

As I expected, all those exploits/bugs, require local account access.
I don't consider any system in which a local account is attacking the
systems integrity to be very secure, do you? I say that to show that,
in such a case, the presence of SELinux cannot be lowering the systems
security that much - the attacker already has local access.

Now, SELinux helps to prevent a remote attacker from getting local
access, and (as far as I know) it has no internet facing ports or
other connections.

So in a case where a machine is being used to host several local
accounts, and local multiuser usage, then I can accept that SELinux
adds vulnerabilities, but I even in that situation, I believe SELinux
adds (security) more than it removes.

--
Fedora Core 6 and proud


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]