Rahul Sundaram wrote:
Mike McCarty wrote:
[...]
You mean like these security vulnerabilities introduced by SELinux:
These vulnerabilities do not support your point that it is merely
conjecture as long as there are provable advantages which it has. Are
What they show is that there are provable DISadvantages. No amount
of weighing advantages on one side vs. disadvantages on the other
is going to amount to proof of whether any individual person should
or should not use it.
Clearly, not having any security measures at all is demonstrably
worse than having some, by overwhelming evidence. Such is not the
case for the "additional" security provided by SELinux.
you going to argue that we should disable PAM and iptables because
security issues have been found on them? I guess not.
Partially, my point is that any time one modifies any package, no
matter for what reason, there is the opportunity to introduce
defects. Therefore, all applications which are affected by SELinux,
potentially all of them, now have an opportunity for defects to be
introduced; a circumstance which would not occur if not for SELinux.
Also, SELinux is itself a large chunk of code, with its own defects.
Also agreed that it is an additional security measure, though I wouldn't
use the term "layer".
Why not?
The term "layer" indicates a single object with multiple
parts, which support one another. SELinux is not a "layer"
like in a cake. It is an adjunct, alongside the usual UNIX-
like security measures present in all Linux systems. It does
have certain wedge-like characteristics, in which it intrudes
into other packages.
Spoken by a True Convert.
If you can't keep the argument technical you would do well by not
participating in the discussion. Dragging this discussion to focus on me
is completely unwarranted.
You expressed faith, which is purely personal. How else am I to comment?
Keep your own comments technical, and you won't evoke such kinds of
responses.
My bottom line: There is not overwhelming evidence that SELinux
provides a net wothwhile increase in security of non secure systems.
As long as this situation continues, then there is room for people
like Karl not to want it on his machine.
I'm not lobbying for anyone to remove it. I'm not trying to convince
anyone that it's a bad thing. I'm lobbying for people to have a CHOICE
whether to install it, without also having to exercise the choice to
use a different distro. I thinks that's only reasonable.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
