Re: Core 2 SELinux installation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 30 Apr 2004, Stephen Smalley wrote:

> On Fri, 2004-04-30 at 05:40, Pete Chown wrote:
> > I think this is especially true for a new security technology.  Most
> > people's view of security is quite simplistic: they want the bad guys
> > kept out, without their work being interfered with.  If SELinux
> > interferes with their work, they will turn it off, reasoning that normal
> > Unix security has kept the bad guys out so far.  They are then unlikely
> > to try it again later however much people tell them that the policy has
> > been improved.
> 
> So how would people feel about a separate relaxed policy that allows
> everything in the system to run completely unconfined except for a small
> set of specific services, e.g. apache, bind, postfix, ...
> That would ensure that SELinux wouldn't get in the way of users, while
> providing some protection benefit for network-facing services.

My initial reaction is that it sounds like quitting smoking by each month 
reducing by one the number of cigarettes smoked per day.  You are 
certainly headed in the right direction, but taking a god awful amount of 
time getting there.  Who knows what will happen in the meantime.

Cold turkey sounds good.  Nice, secure defaults, with the option to turn 
it off temporarily during testing would give us the chance to shake out 
the bugs the quickest.  I would advocate having a range of security 
selections available.  I will certainly avail myself of the opportunity 
to test the strictest of those choices, consistent with getting a little 
work done.  I want good policy available, and awareness/pressure on 
developers to consider policy when creating applications.

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux