[OT][Practices] The Case for RBAC/MAC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Sat, 2005-11-19 at 18:17 -0500, Marko A. Jennings wrote:
> At least in my case, Dag is right.  I've been keeping my mouth shut hoping
> (against hope) that these guys would finally give the 990 of us a break. 
> Unfortunately, history teaches us that they don't have enough sense to do
> so.

I'm just tired of seeing RBAC/MAC principles, as well as the SELinux
approach, being mis-represented here.  I _never_ had a problem with
anyone disabling it (that was _other_ people), but I do _not_ like the
continued "inaccuracy of assumptions" being thrown around here.

If you don't want to use SELinux, don't.  But do _not_:

A)  Try to make all sorts of analysis based on either user services or
kernel services that grant privilege -- SELinux does not, just like
NetFilter doesn't either, they only remove privileges

B)  Continually say it does nothing for your what you do, because there
are others who are using it, and they do take advantage of what it
offers.

C)  Call an "enterprise distro" released for SMBs as well as enterprises
as 'broken' merely because it offers compatibility issues with more
"general" usage

D)  Recognize that other UNIX flavors _have_ implemented RBAC/MAC, and
if companies like Red Hat do not force the issue, many SMBs and
enterprises _will_ consider moving back to other UNIX flavors (like
Solaris)

E)  Our newest entry:  Comparisons to the NT RBAC/MAC model (which is
actually not bad -- but it was _never_ followed by Microsoft's own
applications division)

Honestly, at this point with things like "E", I think people really need
to _stop_ "reaching" for "excuses" that *I* never called for.  If you
feel you need to answer _other_ people because they said something about
how you aren't a good admin, etc..., etc..., etc... get over it.

Until then, I think it's a sad world when people want to continually
defense a position from -- and I'm sorry -- ignorance of what SELinux
is.  Just forget it exists and I'll be happy.  Until then, the
continuous "musical positions/assumptions" are growing old.

This will be my last post in this OT/Practices thread on the matter.


-- 
Bryan J. Smith   b.j.smith@xxxxxxxx   http://thebs413.blogspot.com
-------------------------------------------------------------------
For everything else *COUGH*commercials*COUGH* there's "ManningCard"
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux