On Tue, 04 Oct 2005 14:29:05 EDT, John Richard Moser said: > Aside from this, viruses and spyware and worms can now run rampant and > do what they want to his system, and other users' idiotic actions on a > multi-user system affect him. This is more user friendly? No, I think > it's going in the opposite direction. . . . Virus writers are users too, you know. :) And the other users are users as well - what if the other user's "idiotic action" is to nuke your 500Mbyte archive of alt.binaries.pictures.llama.sex that's taking up the disk space that is keeping him from running the payroll software? In your world, rather than him being able to fix the problem, he has to go find a sysadmin with the root password to fix it, causing delays and being less friendly.... You seem to be intentionally trying to miss the basic point, which is that any additional security ends up trading off against other things. Non-execute stack is a Good Thing security-wise - but it breaks some code, forcing upgrades and/or having to track down binaries and flag them as "don't enforce NX stack". And then those binaries are still vulnerable.... SELinux is, in general, also a Good Thing. However, the fact that the policy restricts what stuff can happen in the security context associated with mail delivery (after all, you *don't* want arbitrary binaries running then, right?) did some serious damage to the way I use procmail, which in some cases ended up running other binaries. OK, so my .procmailrc *is* a 600-line monster that does a lot of odd stuff - the point was that I had to add even *more* contortions to the way it works, which is even less user-friendly....
Attachment:
pgpvZ4H3eMShd.pgp
Description: PGP signature
- Follow-Ups:
- Re: The price of SELinux (CPU)
- From: Bill Davidsen <[email protected]>
- Re: The price of SELinux (CPU)
- From: John Richard Moser <[email protected]>
- Re: The price of SELinux (CPU)
- References:
- The price of SELinux (CPU)
- From: John Richard Moser <[email protected]>
- Re: The price of SELinux (CPU)
- From: [email protected]
- Re: The price of SELinux (CPU)
- From: John Richard Moser <[email protected]>
- The price of SELinux (CPU)
- Prev by Date: Re: /etc/mtab and per-process namespaces
- Next by Date: Re: what's next for the linux kernel?
- Previous by thread: Re: The price of SELinux (CPU)
- Next by thread: Re: The price of SELinux (CPU)
- Index(es):