Re: selinux eradicator?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike McCarty wrote:
Rahul Sundaram wrote:
Mike McCarty wrote:

What they show is that there are provable DISadvantages. No amount
of weighing advantages on one side vs. disadvantages on the other
is going to amount to proof of whether any individual person should
or should not use it.


No but you argument was that the advantages are merely conjecture and that is very clearly false.

No, that was not my argument. My argument is that people are
commenting from a position of conjecture. There is no scientific
conclusive study showing that SELinux unarguably improves
security of machines.

There is. SELinux is MAC security framework and is based on scientific studies over decades which clearly show their advantages. Again read some of the work at NSA SElinux site.

Not one attack on my machine has made it past my router. Not one.
My router sometimes logs thousands of attempts per month. I've been
running since about October 2005. I'd say it's pretty debatable that my
machine would be more secure with SELinux enabled.

A machine running SELinux enabled is provably more secure than a machine running merely a firewall or router. They are not comparable security technologies.

Yes, they do. Because currently the onus is still on the
side of proponents of SELinux to show that it is conclusively
better than what already exists

... which they already have for those who bother to look.

I quote:

"the management of SELinux needs and will improve with the continuous development of better user space tools"

That is faith, not a matter of technical fact.

It is a fact because actual development work is being done on these user space tools as it has happened over several Fedora releases. It is undeniable and easily verifiable that SELinux user space tools have improved very heavily from the early introduction during FC2 time frame.

[snip]
I did not respond to what you wrote, you responded to me. I saw
Karl ask for a change to FC which I thought was reasonable.
I saw a response which was not a reasonable one, and responded
to it.

You actually missed out my very reasonable and clear answer and I had to respond to you again to point out that I have already answered the question you were asking which is not a new one and has been answered many times before and you have made several incorrect assumptions about SELinux which I had to correct.

So again, completely removing all SELinux libraries (as opposed to merely turning it off) is very intrusive and significant amount of effort that does not offer any significant advantages but if you want really want to put the effort and send patches you are welcome to do so. It is certainly easier than creating a different spin however which you were advocating for.

Rahul


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux