Re: NSA motives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Stephen Smalley <sds@xxxxxxxxxxxxx>:


There is quite a bit of work ongoing to help solve that problem
(understanding and configuring SELinux policies effectively).  SELinux
doesn't create complexity, it just reveals it and allows you to control
it.  The SELinux mechanism itself isn't very complex; the complexity
comes in trying to specify what you want to allow to happen on your
computing system, because of the highly complex interactions of existing
software on that system (not because of something added by SELinux).
Classic case of blaming the messenger - SELinux tells you about all of
the complex activity on your system and forces you to think about what
you want to allow to happen, so you blame it for creating complexity tht
was already there...
Sorry, it wasn't my intention to blame the messanger. All I wanted to say (and 
as usually badly expressing myself) was that making system secure is a complex
task.  Simply having SELinux enabled on the system does not make the system
ultimately secure.  Making changes to default policies without fully
understanding what the changes will introduce just makes it even less secure.

Example: On several Linux-end-users type of lists I already saw posters with
good intentions giving advice to include this or that rules into the policy to
solve various problems, just to have other people screeming in replies that
those including such rules into their policy could just as well disable SELinux 
completely with about the same effects.

If somebody Googles around to find solution to the specific problem and finds
advice to do "chmod -R a+rw /", (s)he is not likely to actually do it.  On the
other hand, there is many more people that will include some random set of
rules into their SELinux policy, giving application(s) way more access then
they really need. Nothing to do with SELinux as such, and it would be wrong to 
blame it.  But rather with human nature (which is the weakest link of any
security system).

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux