David Boles wrote:
on 6/28/2007 3:13 PM, Karl Larsen wrote:
[that he disabled SELinux]
Good for you!!!! What you just did was something like: Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors. And then walk away. Makes it really easy for the 'bad guys' to steal, or break, your stuff. Like that guy at the University that you mentioned earlier.
This is a completely unreasonable comparison. First: You have no idea how secure or insecure his machine is. Any machine with external access via modem etc. is insecure. Once one has such access, then one has only relative security. If he runs behind a hardware firewall, and has all ports closed or "stealthed", then he's as secure as one can be and still have connections. SELinux does not provide (AFAIK) any way to prevent compromise, only an attempt at containment after compromise. Second: I've seen industry estimates of approximately one defect per 50 non-commentary source code lines. How many lines of code are in SELinux? Divide by 50, and that's the estimated number of defects being introduced by loading that software onto your machine. So, loading SELinux onto your machine provides more opportunity for compromise via defect exploit. AFAIK, no one has actually done any scientific study as to whether a machine with SELinux active on it be any more secure than otherwise. Until such time, efficacy in loading or not loading SELinux to achieve enhanced security is a matter of conjecture, opinion, and personal preference. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that!