Joel wrote: >>>The reasons I see for not using SELinux are as follows: >>> >>>One, this is still in-front-of-leading-edge technology. For all that the >>>nsa is a major contributor, it needs a lot of debugging. >>> >>> >>Fedora core 3 and RHEL 4 comes with targetted policy enabled by >>default. Sure, it can improve over time but I wouldnt classify those >>as "debugging". >> >> > >My apologies for not being more explicit. > >There are several levels of debugging -- code, design, setup, and others. >They feed off of eachother. In this case I was talking more about the >setup processes, and, if I had time and hardware, I'd be helping. > > > >>>Two, I know that mis-configuration can result in reduced security, and I >>>haven't had time to learn the configuration yet. I paticularly worry >>>about getting the system-level policy right for the kinds of things I do. >>> >>> >>> >>ok. a much better idea is to try it out. SELinux works on top of >>normal DAC based security. any misconfiguration would probably prevent >>some stuff from working properly but it wouldnt result in any less >>security. >> >> > >Yes. And if I had the time and hardware, I'd be helping. > >Maybe I should admit that the only hardware I can spare to load a new OS >on right now are some old 68K Macs. > >8-0 > >But I hardly have time to be posting here, so I probably should have >just kept my mouth shut. > > > >>>Three, I'm not confident that ACLs are as effective as they are said to >>>be, and I know how to set up the equivalent of ACLs using standard unix >>>permissions, and that does cover most of my needs. >>> >>>(I know some common implementations of ACLs are a couple of dollars >>>short. When I can get the time to study the current implementation in >>>SELinux, I may change my mind about this point.) >>> >>> >>SELinux is not just ACL's. I am not even sure if you are implying that >>but if you think so then please read the relevant documents >> >> > >If SELinux were just ACLs, then I would not be interested in even >looking at it. Would it be inaccurate to say, however, that ACLs play a >major role in what SELinux does? > >Or does SELinux implement capabilities already? > >Anyway, the purpose of my previous post was to point out to some of >those who may have more hardware and time than I do that SELinux is >pushing in a direction we all want to push in, and anyone who can spare >the time and hardware should dig in. If it didn't read that way, I >apologize. > >(And since I really don't have time for this, I won't say anything >further.) > >-- >Joel Rees <rees@xxxxxxxxxxx> >digitcom, inc. 株式会社デジコム >Kobe, Japan +81-78-672-8800 >** <http://www.ddcom.co.jp> ** > > > Joel, your statement read here the way you intended. Points were well made to my way of thinking.
