Re: SELinux - a call for end-of-life.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> The top brass of Linux community has by now a life-time experience of "what
> works and what does not" and should be capable of initiating and rethinking

Actually we don't. We have some experience but system wide security is a
hard problem. People like the NSA have beens studying it since the 1950s
and SELinux is part of that fifty odd years of research - both into
formal models of containment and into studying software behaviour and
errors.

> - it should show various diagnostics (alarms) in real-time, but never interfere
>   with or prevent a program from execution.

Thats a self contradictory goal. If it shows an alarm then the attacker
can remove the alarm again before you see it. Also there's not a lot of
value in "you have been owned, your data is toast, your hard disk is
erased" in many environments. 

Anyway you are describing SElinux permissive mode.

> - it should not interfere with / try to undo any present and standard
>   UNIX/Linux system security measures

Thats SELinux permissive mode (and SELinux btw won't override standard
security refusals), if chmod says you can't have it SELinux won't let you
at it, it may only additionally bar access (or in permissive mode alarm
about it)

> - it should be supplementary to existing UNIX/Linux system security

Like say SELinux

> - it should be self-contained, installable and removable at any time, without
>   influencing the system 

That's also self contradictory since adding or removing it must change
the behaviour of the system to be useful - eg in reporting alarms as you
wanted.


Alan
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux