SELinux threads, cynicism, one-upmanship, etc.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Sat, 2005-11-19 at 14:02, Lamar Owen wrote:
> So much for older and simpler is
> better; why don't we go back to VMS?  It's substantially more secure than
> Linux (the Linux kernel and heritage is not 30 years old, because Linux is
> not Unix).

The VMS model isn't older and simpler than unix - it is more complex and
around the same age.  The unix model was intentionally simplified by
someone familiar with Multics, an older and much more complicated
system.  People have had a choice between VMS and unix for a long time
and VMS found a very small niche of popularity.  Linux may not be unix
but it's design goal was to provide the same api - and for good reasons.

> > The mechanism was there all along, the policy wasn't - and the policy
> > didn't belong in the kernel.
> 
> Sure, the policy of chroot is indeed in the kernel, and the kernel
> enforces the chroot, no?  

No, the kernel provides the mechanism of chroot, and has more or less
forever.  A policy of using it or not is left up to you.  Simplicity
in the kernel.

> The other typical answer to exploits is firewalling: pray tell where that
> policy is enforced.

The best place is on a separate box from anything that it should be
protecting.

-- 
  Les Mikesell
    lesmikesell@xxxxxxxxx
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux