David Boles wrote:
on 6/28/2007 3:13 PM, Karl Larsen wrote:
[that he disabled SELinux]
Good for you!!!!
What you just did was something like:
Build a house.
Put everything valuable that you own into it.
Disable all of the locks.
Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff.
Like that guy at the University that you mentioned earlier.
This is a completely unreasonable comparison.
First:
You have no idea how secure or insecure his machine is. Any machine
with external access via modem etc. is insecure. Once one has such
access, then one has only relative security. If he runs behind a
hardware firewall, and has all ports closed or "stealthed", then
he's as secure as one can be and still have connections. SELinux
does not provide (AFAIK) any way to prevent compromise, only
an attempt at containment after compromise.
Second:
I've seen industry estimates of approximately one defect per
50 non-commentary source code lines. How many lines of code are in
SELinux? Divide by 50, and that's the estimated number of defects
being introduced by loading that software onto your machine. So,
loading SELinux onto your machine provides more opportunity for
compromise via defect exploit. AFAIK, no one has actually done any
scientific study as to whether a machine with SELinux active on it be
any more secure than otherwise.
Until such time, efficacy in loading or not loading SELinux
to achieve enhanced security is a matter of conjecture, opinion,
and personal preference.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
