> > The reasons I see for not using SELinux are as follows: > > > > One, this is still in-front-of-leading-edge technology. For all that the > > nsa is a major contributor, it needs a lot of debugging. > > Fedora core 3 and RHEL 4 comes with targetted policy enabled by > default. Sure, it can improve over time but I wouldnt classify those > as "debugging". My apologies for not being more explicit. There are several levels of debugging -- code, design, setup, and others. They feed off of eachother. In this case I was talking more about the setup processes, and, if I had time and hardware, I'd be helping. > > Two, I know that mis-configuration can result in reduced security, and I > > haven't had time to learn the configuration yet. I paticularly worry > > about getting the system-level policy right for the kinds of things I do. > > > > ok. a much better idea is to try it out. SELinux works on top of > normal DAC based security. any misconfiguration would probably prevent > some stuff from working properly but it wouldnt result in any less > security. Yes. And if I had the time and hardware, I'd be helping. Maybe I should admit that the only hardware I can spare to load a new OS on right now are some old 68K Macs. 8-0 But I hardly have time to be posting here, so I probably should have just kept my mouth shut. > > Three, I'm not confident that ACLs are as effective as they are said to > > be, and I know how to set up the equivalent of ACLs using standard unix > > permissions, and that does cover most of my needs. > > > > (I know some common implementations of ACLs are a couple of dollars > > short. When I can get the time to study the current implementation in > > SELinux, I may change my mind about this point.) > > SELinux is not just ACL's. I am not even sure if you are implying that > but if you think so then please read the relevant documents If SELinux were just ACLs, then I would not be interested in even looking at it. Would it be inaccurate to say, however, that ACLs play a major role in what SELinux does? Or does SELinux implement capabilities already? Anyway, the purpose of my previous post was to point out to some of those who may have more hardware and time than I do that SELinux is pushing in a direction we all want to push in, and anyone who can spare the time and hardware should dig in. If it didn't read that way, I apologize. (And since I really don't have time for this, I won't say anything further.) -- Joel Rees <rees@xxxxxxxxxxx> digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** <http://www.ddcom.co.jp> **
