Craig White wrote:
On Mon, 2006-04-03 at 10:25 +0200, Eugen Leitl wrote:
On Mon, Apr 03, 2006 at 12:34:07AM -0700, Craig White wrote:
if Windows exploits are any indication, it is primarily desktop systems
which are the target for malware that infects the system for nefarious
No disagreement.
purposes. Why? Because the users are often not knowledgeable, run with
elevated privileges, travel to web sites that attempt every conceivable
exploit in a plethora of scripting languages, etc.
Yes. But more packages -- more opportunities for SELinux/RSBAC/grsecurity
to break your system. If a user has to choose between a secure or a functional
system, he will choose the one that works.
The policy updates from Fedora have been frequent and are automatically
installed/applied
Empirically, I had SELinux breaking services on my desktop. It is
hard enough to keep the system running in Fedora Core land as it is.
No need to extra handicap.
It is reasonable for a sysadmin to craft and review security policy
on a stable (=static) server with few packages installed and few
services offered. Especially, if you're paid to do it.
Trying to do this on a rapidly evolving desktop with a rich set
of packages, most of them pulled in from a dozen of depositories
run by people with not very high stability standards (FC is bleeding
edge, after all) is a) not something most people enjoy b) takes
more time that most people have, especially if it's a hobby.
----
I guess it's a throw out the baby with the bathwater thing.
[snip]
I consider it throwing out the hogwash. IMO, SELinux is a
wrong-headed approach to security.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!