Re: Why do I need SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joel wrote:

>>>The reasons I see for not using SELinux are as follows:
>>>
>>>One, this is still in-front-of-leading-edge technology. For all that the
>>>nsa is a major contributor, it needs a lot of debugging.
>>>      
>>>
>>Fedora core 3 and RHEL 4 comes with targetted policy enabled by
>>default. Sure, it can improve over time but I wouldnt classify those
>>as "debugging".
>>    
>>
>
>My apologies for not being more explicit. 
>
>There are several levels of debugging -- code, design, setup, and others.
>They feed off of eachother. In this case I was talking more about the
>setup processes, and, if I had time and hardware, I'd be helping.
>
>  
>
>>>Two, I know that mis-configuration can result in reduced security, and I
>>>haven't had time to learn the configuration yet. I paticularly worry
>>>about getting the system-level policy right for the kinds of things I do.
>>>
>>>      
>>>
>>ok. a much better idea is to try it out.  SELinux works on top of
>>normal DAC based security. any misconfiguration would probably prevent
>>some stuff from working properly but it wouldnt result in any less
>>security.
>>    
>>
>
>Yes. And if I had the time and hardware, I'd be helping. 
>
>Maybe I should admit that the only hardware I can spare to load a new OS
>on right now are some old 68K Macs. 
>
>8-0  
>
>But I hardly have time to be posting here, so I probably should have
>just kept my mouth shut.
>
>  
>
>>>Three, I'm not confident that ACLs are as effective as they are said to
>>>be, and I know how to set up the equivalent of ACLs using standard unix
>>>permissions, and that does cover most of my needs.
>>>
>>>(I know some common implementations of ACLs are a couple of dollars
>>>short. When I can get the time to study the current implementation in
>>>SELinux, I may change my mind about this point.)
>>>      
>>>
>>SELinux is not just ACL's. I am not even sure if you are implying that
>>but if you think so then please read the relevant documents
>>    
>>
>
>If SELinux were just ACLs, then I would not be interested in even
>looking at it. Would it be inaccurate to say, however, that ACLs play a
>major role in what SELinux does? 
>
>Or does SELinux implement capabilities already?
>
>Anyway, the purpose of my previous post was to point out to some of
>those who may have more hardware and time than I do that SELinux is
>pushing in a direction we all want to push in, and anyone who can spare
>the time and hardware should dig in. If it didn't read that way, I
>apologize. 
>
>(And since I really don't have time for this, I won't say anything
>further.)
>
>--
>Joel Rees   <[email protected]>
>digitcom, inc.   株式会社デジコム
>Kobe, Japan   +81-78-672-8800
>** <http://www.ddcom.co.jp> **
>
>  
>
Joel, your statement read here the way you intended. Points were well
made to my way of thinking.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux