[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux

Ed Greshko wrote:
Tom Horsley wrote:
OK, I can turn off selinux, and not get any of these errors, or
I can leave selinux on, get errors, look at the troubleshoot report,
and follow the instructions to enable the program that had problems
to go ahead and do whatever nasty things selinux detected. All without
doing the kind of massive code review required to prove that the nasty
things are actually harmless in this particular program's case.

So why isn't it much simpler and less trouble to just turn off
selinux in the first place? I get the same level of security in the
end, and much less hassle in the meantime :-).

Of course that isn't quite true.  What you would have done is made the
decision to trust a single program.  You haven't disable the various
selinux protection schemes for other components.  In other words, you've
handed out a set of keys.  You've not unlocked and opened all the doors
and all the windows and turned off the alarm system.

I was going to make that point, but your analogy is elegant, and I think I'll just save it for future quoting.

Bill Davidsen <davidsen tmr com>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]