[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updated SELinux Release

On Thu, 04 Nov 2004 23:06:06 -0500, Colin Walters <walters@verbum.org> said: 

> On Thu, 2004-11-04 at 13:15 +0000, Luke Kenneth Casson Leighton wrote:
>> default: no.

> Why not on by default, with a targeted policy, for everyone?
> SELinux's flexibility allows one to easily turn it off for specific
> services.  There's a lot of value in preventing a compromised or
> misconfigured syslogd or portmap daemon from destroying your system.
> Not to mention Apache; with the stronger version of can_network, the
> Slapper worm would have been stopped in its tracks (no outbound port
> 80 access).  Additionally, I'm working on securing some high-risk
> software using the targeted policy; something that would be
> difficult to impossible to do without SELinux.

> The entire point of SELinux is to bring strong, flexible mandatory
> access control to a mainstream operating system (Linux).  If it's
> not enabled by default, and limited to the few of us on this mailing
> list, what's the point?  Why don't we just run say EROS
> (http://www.eros- os.org/) instead?  A: Because what makes SELinux
> interesting is that it can run all of our legacy software.  By not
> shipping it on everywhere, we're not tapping that ability.

	This is all very nice, but I think we need to take an
 evolutionary change to reach that goal. The first step, far more
 palatable than forcing SELinux (even with just a targeted policy) is
 to get SELinux in the default kernels, disabled by default at boot

Harp not on that string. William Shakespeare, "Henry VI"
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: