On Fri, 2003-06-06 at 18:38, Russell Coker wrote: > LSM (which SE Linux is built on) does not support permissive controls. So SE > Linux can only deny operations that would otherwise be permitted by regular > Unix controls. So for a recommended configuration you can not make it any > more insecure than a standard Linux system no matter what you do. Sure you can. When you're deciding if you want offer some service on a box, for example, you weight the costs, including security, against the benefits. If you've installed SELinux, you probably think it provides security benefits. So you're going to include it in calculating the security costs, which will be less because of it. Thus, you are more likely to offer services. If it turns out that SELinux doesn't really provide the security bonus you thought it did --- either due to a bug or wanton misconfiguration --- you have a less secure box than a standard Linux one would of been (because you wouldn't of offered the service)
Attachment:
signature.asc
Description: This is a digitally signed message part