Re: SELinux last straw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matthew Miller wrote:
> On Wed, Oct 17, 2007 at 02:19:55PM -0500, Les Mikesell wrote:
>>> 1) familiarize ones self with the rules , as one has to do with
>>> traditional secuirty
>> But the traditional unix rules are extremely simple, and being able to 
>> understand and verify them is one of their biggest virtues.
> 
> +1. Simplicity, transparency, security. It doesn't matter how high tech your
> complicated fence is if it's so complicated that you would have no chance of
> noticing if the gate were accidentally left open.
> 
The same argument could be applied to using IPtables for firewall
protection. After all, it you do not learn about IPtables rules, and
do not use one of the GUI tools, or predefined rule sets, it is easy
to have a hole and not know it. Unless you test it from the outside,
you could have a rule set the offers no protection at all, and never
know it.

Granted, the tools for SELinux are not as mature as the firewall
tools, but does that mean we throw out SELinux instead of improving
the tools? I thought one of the goals of Fedora was to improve the
tools. From what I see, the rule sets and tools for SELinux are
improving.

I have seen the same kind of arguments about just about every major
change. I remember people complaining about udev, and what was wrong
with using the standard /dev setup. I heard it about the change to
IPTables. I have heard it about HAL. Way too many of them boil down
to I know how the old system works, so why should I learn about this
new way of doing things. I am happy with the way things are working
now. Don't change things and make me learn a new method. I don't
care if this new method has advantages over the one I know.

Now, some of the new things are not going to work out, or in trying
to implement them, a better way may present itself. But if nobody is
willing to try the new methods, and work out the bugs that are
always going to crop up when trying something new, then there will
not be any progress.

I am not sure if most of the people arguing ageist SELinux
understand is that is is not primarily designed to stop people from
breaking into the system. It is designed to prevent, or at least
limit the damage after somebody gets in, or from somebody that
already has access. Defense in depth.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux