On Wed, 2005-07-13 at 13:22, Paul Howarth wrote:
> My point was that there's no way of knowing what undiscovered
> vulnerabilities there are on your system, so having multiple layers of
> defences such as firewalls, mounting /var and /tmp partitions with
> noexec, selinux etc. all help to mitigate the risk.
And the counterpoint to that is that we (most of us anyway) also
don't know what new problems selinux creates as it tries to
solve the old well known ones. Why is it that you accept on
faith that adding new code in the form of selinux is an improvement
while recognizing that you don't know about undiscovered vulnerabilities
in code that has been around for ages and has already had the obvious
things fixed?
--
Les Mikesell
lesmikesell@xxxxxxxxx
