Les Mikesell wrote:
On Wed, 2005-07-13 at 13:22, Paul Howarth wrote:
My point was that there's no way of knowing what undiscovered
vulnerabilities there are on your system, so having multiple layers of
defences such as firewalls, mounting /var and /tmp partitions with
noexec, selinux etc. all help to mitigate the risk.
And the counterpoint to that is that we (most of us anyway) also
don't know what new problems selinux creates as it tries to
solve the old well known ones. Why is it that you accept on
faith that adding new code in the form of selinux is an improvement
while recognizing that you don't know about undiscovered vulnerabilities
in code that has been around for ages and has already had the obvious
things fixed?
Thank you.
We *know* that selinux poses vulnerabilities to keeping the system
up.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!