On Sun, 2005-06-19 at 11:22 -0700, stewartetcie@xxxxxxxxxx wrote: > The point is that SELinux is: (1) so complex as to be > unmanageable; (2) inappropriate for all cases, > virtualization being a case in point. By the way, sHype > is available as a patch for Xen, which is distributed > with Fedora Core 4. SELinux doesn't create complexity; it just reveals the existing complexity of what is already occurring on your computing system and provides you with a mechanism that allows to control that complexity. In the absence of such a mechanism, you have no chance of knowing what is occurring on your system or being able to control it, and thus no way to counter the risk posed by malicious and flawed applications. Virtualization gives you a way to confine/isolate at very coarse granularity with very strong isolation guarantees (which can indeed be useful, and can be used in combination with SELinux), but doesn't really solve the problem of fine-grained controlled sharing and confinement of malicious/flawed applications on the OS. > On a more general note Steve, take a look at Ken > Thompson's 1984 ACM Turing Award lecture, "Reflections > on Trusting Trust" wherein the author of the UNIX > operating system illustrates why you shouldn't trust > sneaky folks like him. By extension, I'm a little > suspicious of the NSA's motives in distributing a > system for mandatory access control that is needlessly > complex and, essentially, unmanageable at a time when > snort and tripwire, for example, are widely available > and a stateful firewall is built into the Linux kernel. None of what you list above is a mechanism for mandatory access control, and all of them can be used in combination with SELinux just fine. SELinux is the right foundation for mandatory access control - its generality and comprehensiveness are exactly what one needs for a general purpose OS that needs to deal with a wide range of security requirements, and it provides an extensible infrastructure for applications so that the same kinds of controls can be easily applied to application abstractions as well. > Fedora is > the only widely used Linux distribution to incorporate > SELinux in such a manner that it cannot be removed. If > its so important, how come everybody else can get along > without it? Perhaps we might consider an alternative > Fedora Core 4 distro that is free of this one-stop > security panacea? I'm not sure what you mean by "cannot be removed". As stated, Fedora certainly allows you to disable SELinux. Other 2.6-based distributions include the SELinux code as well, although they may disable it by default. Most distributions don't want to have to ship multiple variations of the kernel and userland, so they naturally don't want to have to ship a SELinux and non-SELinux variant of kernel, coreutils, etc. And as far as I know, no one (and certainly not the NSA) has suggested that SELinux is a one-stop security panacea - we have always been careful to note the limitations of SELinux. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
