Re: selinux eradicator?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/3/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote:
Arthur Pemberton wrote:
> On 6/28/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote:
>

[snip]

>>
>> A machine running current SELinux implementation is provably
>> less secure in some senses than one which is not.
>
> I don't often agree with Rahul Sundaram, plus I get the feeling that
> he doesn't like me. But I can't stand by and have you spreading this
> kind of FUD, especially considering that you have admitted to _not_
> using SELinux.

No fear. No uncertainty. No doubt. If that's what you meant.

> Please show some geek pride and not speak on this matter since by your
> own admission you have no recent experience with it.
>
> Furthermore this claim of yours is extremely broad, and baseless.

It is neither of those. If you wish to continue this, please take
it to private e-mail.

I already gave instances published by the US Government which
demonstrate that machines which run SELinux are subject to attacks
which would not otherwise have succeeded.

Thanks for brining my attention to that, went back through the thread
and found those links.

As I expected, all those exploits/bugs, require local account access.
I don't consider any system in which a local account is attacking the
systems integrity to be very secure, do you? I say that to show that,
in such a case, the presence of SELinux cannot be lowering the systems
security that much - the attacker already has local access.

Now, SELinux helps to prevent a remote attacker from getting local
access, and (as far as I know) it has no internet facing ports or
other connections.

So in a case where a machine is being used to host several local
accounts, and local multiuser usage, then I can accept that SELinux
adds vulnerabilities, but I even in that situation, I believe SELinux
adds (security) more than it removes.

--
Fedora Core 6 and proud

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux