Mike McCarty wrote:
Rahul Sundaram wrote:
Mike McCarty wrote:
What they show is that there are provable DISadvantages. No amount
of weighing advantages on one side vs. disadvantages on the other
is going to amount to proof of whether any individual person should
or should not use it.
No but you argument was that the advantages are merely conjecture and
that is very clearly false.
No, that was not my argument. My argument is that people are
commenting from a position of conjecture. There is no scientific
conclusive study showing that SELinux unarguably improves
security of machines.
There is. SELinux is MAC security framework and is based on scientific
studies over decades which clearly show their advantages. Again read
some of the work at NSA SElinux site.
Not one attack on my machine has made it past my router. Not one.
My router sometimes logs thousands of attempts per month. I've been
running since about October 2005. I'd say it's pretty debatable that my
machine would be more secure with SELinux enabled.
A machine running SELinux enabled is provably more secure than a machine
running merely a firewall or router. They are not comparable security
technologies.
Yes, they do. Because currently the onus is still on the
side of proponents of SELinux to show that it is conclusively
better than what already exists
... which they already have for those who bother to look.
I quote:
"the management of SELinux needs and will improve with the continuous
development of better user space tools"
That is faith, not a matter of technical fact.
It is a fact because actual development work is being done on these user
space tools as it has happened over several Fedora releases. It is
undeniable and easily verifiable that SELinux user space tools have
improved very heavily from the early introduction during FC2 time frame.
[snip]
I did not respond to what you wrote, you responded to me. I saw
Karl ask for a change to FC which I thought was reasonable.
I saw a response which was not a reasonable one, and responded
to it.
You actually missed out my very reasonable and clear answer and I had to
respond to you again to point out that I have already answered the
question you were asking which is not a new one and has been answered
many times before and you have made several incorrect assumptions about
SELinux which I had to correct.
So again, completely removing all SELinux libraries (as opposed to
merely turning it off) is very intrusive and significant amount of
effort that does not offer any significant advantages but if you want
really want to put the effort and send patches you are welcome to do so.
It is certainly easier than creating a different spin however which you
were advocating for.
Rahul
