Craig White wrote:
On Sun, 2006-04-02 at 19:43 -0500, Les Mikesell wrote:
On Sun, 2006-04-02 at 18:23, Craig White wrote:
All of the discussion about gui
tools is self serving attempts to provide a smoke screen to the basic
issue...that the sysadmin doesn't want to commit the time and energy to
learning how to deal with it. The logical extension that I add to that
is this unwilling system admin is not professional and will take the
easy road, much like failure to implement password policies discussed a
few days ago, etc. as this behavior is endemic and not likely reserved
to just selinux.
Or, an equally valid view is that the sysadmin in question has
learned from experience that every new-and-different extension
to the basic unix system promoted by one or a few vendors has
historically not turned out to be necessary and sometimes
introduced new problems. A wait-and-see attitude isn't such
a bad thing. When it is proven, you might expect all distributions
to ship it.
----
Of course the only people who are making these types of arguments are
those that haven't invested the time to figure it out. Where are the
knowledgeable admins that have taken the time to understand SELinux and
come to the conclusion that it is not of sufficient value to implement?
Well, Craig, I suppose that depends on how one defines "knowlegeable
admin". The truly knowlegeable ones are the ones who look out for
the company's bottom line, and trade off cost of compromise with
cost of administration. IMO, SELinux breaks more things than it
"fixes", and those truly interested in security provide it
via physical access, firewalls, and DMZs, not glorified ACLs.
One thing I used to remind my engineers (when I was technical lead)
was "if it isn't in the requirements spec, it doesn't go into
the software", because every line of code is one more place for
a defect to hide. So I'm sure that SELinux has a number of
exploitable defects itself.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!