On Tue, 2005-07-05 at 10:42 -0500, alex@xxxxxxxxxxxxxxx wrote: > Sorry, it wasn't my intention to blame the messanger. All I wanted to > say (and > as usually badly expressing myself) was that making system secure is a complex > task. Simply having SELinux enabled on the system does not make the system > ultimately secure. Making changes to default policies without fully > understanding what the changes will introduce just makes it even less secure. > > Example: On several Linux-end-users type of lists I already saw posters with > good intentions giving advice to include this or that rules into the policy to > solve various problems, just to have other people screeming in replies that > those including such rules into their policy could just as well disable > SELinux > completely with about the same effects. > > If somebody Googles around to find solution to the specific problem and finds > advice to do "chmod -R a+rw /", (s)he is not likely to actually do it. On the > other hand, there is many more people that will include some random set of > rules into their SELinux policy, giving application(s) way more access then > they really need. Nothing to do with SELinux as such, and it would be > wrong to > blame it. But rather with human nature (which is the weakest link of any > security system). Yes, understood. And as I say, there is ongoing work to make (correct) policy configuration much more accessible to typical end users. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
