[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-01-16 at 01:10 -0500, Claude Jones wrote:
> Maybe you guys are thinking about this all wrong. Suppose that Selinux
> is really a diversion. By forcing the question of mandatory access
> controls at the kernel level, there's a team of specialists being
> trained who are mastering in great depth, the detailed minutiae of how
> each daemon they program for, functions at the lowest levels. The goal
> is to create the specialist team that knows every hook, every detail,
> of low level operations of all major sofware running in the OS

I was being more of a devil's advocate than anything else...  But going
along with what you mention, is more in keeping with what I had in mind.

SELinux is about restricting access, not providing more of it.  If you
remove it, you're granting access to more of your system.  The real
question is whether SELinux has a loophole that grants access without
you knowing about it (lunatic wild conspiracy theory).  Unless SELinux
provides yet another way into your system, removing it doesn't bring
about any tangible security benefits.

It goes back to one of the original discussions, what *EXACTLY* does it
do (more than we know about?).  If it *only* adds restrictions, there's
nothing for anybody to worry about.  Except, perhaps, for some program
authors that think that they should be able to read any file on the
system without restrictions (e.g. your /etc/passwd files, and so on,
being served out through Apache).

-- 
(Currently testing FC5, but still running FC4, if that's important.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]
  Powered by Linux