Re: swapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2015-01-16 at 16:31 -0800, Gordon Messmer wrote:

> If your computer is single-user anyway, why does it need a security 
> subsystem?
> *eyeroll*

That actually isn't as crazy as you seem to think.  Security should
always be seen as tradeoff between the cost of the security vs the
potential loss and the odds of a breech.  Seen in that light simply
disabling permissions could indeed be justified under some conditions.
But there are some important differences between SELinux and the UNIX
model,

1.  You can teach a total newb (assuming IQ over room temp) the basics
of the UNIX permissions system in under an hour and every admin is
expected to know pretty much all details of it.  Nobody understands
SELinux beyond a few developers at RedHat and the NSA.  Even after
reading the O'Reilly book since it is already obsolete.  Contrast to the
UNIX model that hasn't changed in longer than the median age of the
typical Linux user and has extensive documentation that is accurate.

2.  The UNIX security model is integral to UNIX and Linux.  SELinux
exists almost entirely outside the normal filesystems and toolset.
Normal tools rarely preserve SELInux attributes when taking backups or
transferring files between machines.  RPM only partially understands it
after it being a standard feature for a decade.

3.  Any machine configured even slightly differently than the RH devels
expected -WILL- break SELinux.  Or I have just been very very unlucky on
multiple occasions.  Unless one is, or has access to, one of the
extremely limited number of SELinux experts the best solution is to
simply disable it when it breaks.  Doubly so if the machine in question
isn't a server.

4.  Consider the points above and realize SELinux has been a mandatory
at install time feature on Fedora even longer than PulseAudio, and
neither are even close to being reliable... yet were pushed into
production and removal apparently isn't a topic for civilized
discussion.  At what point is it legitimate to question the wisdom of
this?

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux