Mike McCarty wrote:
David Boles wrote:
on 6/28/2007 3:13 PM, Karl Larsen wrote:
[that he disabled SELinux]
Good for you!!!!
What you just did was something like:
Build a house.
Put everything valuable that you own into it.
Disable all of the locks.
Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff.
Like that guy at the University that you mentioned earlier.
This is a completely unreasonable comparison.
First:
You have no idea how secure or insecure his machine is. Any machine
with external access via modem etc. is insecure. Once one has such
access, then one has only relative security. If he runs behind a
hardware firewall, and has all ports closed or "stealthed", then
he's as secure as one can be and still have connections. SELinux
does not provide (AFAIK) any way to prevent compromise, only
an attempt at containment after compromise.
Second:
I've seen industry estimates of approximately one defect per
50 non-commentary source code lines. How many lines of code are in
SELinux? Divide by 50, and that's the estimated number of defects
being introduced by loading that software onto your machine. So,
loading SELinux onto your machine provides more opportunity for
compromise via defect exploit. AFAIK, no one has actually done any
scientific study as to whether a machine with SELinux active on it be
any more secure than otherwise.
Until such time, efficacy in loading or not loading SELinux
to achieve enhanced security is a matter of conjecture, opinion,
and personal preference.
Mike
Hi Mike, exactly. I have DSL Internet and the 4 port router has
hardware firewall and then you hit the red hat linux firewall and then
you try to guess the root password or ANY password and then your in.
In 12 years no-one has made it. Been close however.
Karl