On 9/21/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote: > Arthur Pemberton wrote: > > On 9/21/07, Gene Heskett <gene.heskett@xxxxxxxxxxx> wrote: > > > >>On Friday 21 September 2007, Ed Greshko wrote: > >> > >>>Gene Heskett wrote: > >>> > >>>>I have a firewall that has so far been bulletproof. Its called dd-wrt, > >>>>run on an old scrap x86 box, booting busybox from a cf card, no drives in > >>>>it & only 2 fans. > >>> > >>>I'm not sure why you are comparing the functions of SELinux with the > >>>functions of a firewall. It would be nice to hear your interpretation of > >>>the issues that SELinux targets v.s. what a Firewall targets. If you think > >>>they serve the same functions it would be nice if you would cite your > >>>source. > >> > >>Several people have referred to 'that hacker' getting into the system, which > >>is how I at least made the connection to a firewall. > > > > > > So you're firewalls are capable of protecting against 'that hacker' > > who _is_ on your box, ie. has gotten past your firewall somehow - > > getting past a firewall is by no means an impossible task > > No. But my backups are the appropriate response to a compromised > system, not SELinux. So you're still missing the point that SELinux can prevent the system from being compromised. > > I have several machines with SELinux disabled, and I see no messages from it. > > Then you belive that at least in some circumstances SELinux has a > greater cost than it does a benefit. We agree on that. How about > allowing those who find themselves in that circumstance the lattitude > of not loading and running SELinux at all? So disable it. Is that so hard? If you disable, it doesn't run. > >>Its a 'solution' looking for a 'problem' and if it can't find a problem, it > >>will make 10 problems just for spite. > > > > > > It solves problems for me, if you do not share this, that is > > understandable. But it does infact solve problems. > > Though I didn't see you list one problem SELinux solved for you, > I'm not going to argue your personal assessment that the perceived > cost of SELinux to you (on some of your machines) outweighs the > perceived benefit (or rather the utility functions associated > with the perceived costs, when weighed by the probabilities you assigned > to your outcome space), since that is a personal matter. Well I didn't intend on playing story telling time. But SELinux as prevented me from being rooted at least once. > What I don't like is RH thinking it knows better than I do what I > need in the way of security software. If they thought they knew better, they wouldn't make it possible to disable it. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )