On 6/28/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote:
Rahul Sundaram wrote: > Mike McCarty wrote: > >> >> No, that was not my argument. My argument is that people are >> commenting from a position of conjecture. There is no scientific >> conclusive study showing that SELinux unarguably improves >> security of machines. > > > There is. SELinux is MAC security framework and is based on scientific > studies over decades which clearly show their advantages. Again read > some of the work at NSA SElinux site. Mandatory Access Control is not a thing, it is a technique. SELinux is a thing, which may or may not be a good implementation of MAC. >> Not one attack on my machine has made it past my router. Not one. >> My router sometimes logs thousands of attempts per month. I've been >> running since about October 2005. I'd say it's pretty debatable that my >> machine would be more secure with SELinux enabled. > > A machine running SELinux enabled is provably more secure than a machine > running merely a firewall or router. They are not comparable security > technologies. A machine running current SELinux implementation is provably less secure in some senses than one which is not.
I don't often agree with Rahul Sundaram, plus I get the feeling that he doesn't like me. But I can't stand by and have you spreading this kind of FUD, especially considering that you have admitted to _not_ using SELinux. Please show some geek pride and not speak on this matter since by your own admission you have no recent experience with it. Furthermore this claim of yours is extremely broad, and baseless. [ snip ]
> It is a fact because actual development work is being done on these user It is faith that SELinux will survive at all.
How faith entered into a thread about software I have on idea.
[snip] > So again, completely removing all SELinux libraries (as opposed to > merely turning it off) is very intrusive and significant amount of > effort that does not offer any significant advantages but if you want > really want to put the effort and send patches you are welcome to do so. > It is certainly easier than creating a different spin however which you > were advocating for. Erm, ADDING SELinux was an intrusive effort, which is now difficult to undo.
My thanks to all those who worked, and continue to work on SELinux -- Fedora Core 6 and proud