Rahul Sundaram wrote:
Mike McCarty wrote:
If he runs behind a
hardware firewall, and has all ports closed or "stealthed", then
he's as secure as one can be and still have connections.
SELinux is not related to any traditional firewalls at all just in case
someone is confused about that still.
Agreed on this point. I hope what I wrote wouldn't cause anyone
to think otherwise.
[snip]
Until such time, efficacy in loading or not loading SELinux
to achieve enhanced security is a matter of conjecture, opinion,
and personal preference.
It is very much not conjecture. Use any good search engine and do your
own research rather speculate. One point that should be noted is that
You mean like these security vulnerabilities introduced by SELinux:
http://www.nsa.gov/selinux/list-archive/0306/4468.cfm
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1052
http://www.gentoo.org/security/en/glsa/glsa-200510-22.xml
http://marc.info/?l=selinux&m=105492305125090&w=2
http://osvdb.org/displayvuln.php?osvdb_id=25232
It appears that SELinux can be disabled via a kernel exploit in FC6:
http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
For another "supporter" whose comments can actually be read as
a criticism, see
http://lwn.net/Articles/111437/
Here's an example of a defect added to the kernel as a result of
attempting to accomodate SELinux
http://projects.info-pull.com/mokb/MOKB-14-11-2006.html
unlike the original analogy SELinux is a additional security layer and
turning it off doesnt not equate to turning off all security measures
Also agreed that it is an additional security measure, though I wouldn't
use the term "layer".
and of course the management of SELinux needs and will improve with the
continuous development of better user space tools but what the
underlying architecture is based on decades of research and work. NSA
SELinux site has various docs on this.
Spoken by a True Convert.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list