Verily I say unto thee, that Roy Schestowitz spake thusly:
> SELinux vs. OpenBSD's Default Security
>
> ,----[ Quote ]
> | Darrin Chandler suggested, "security should not be grafted on, it
> | should be integrated into the main development process. I'm sure
> | the patch maintainers are doing their best, but this doesn't change
> | the fundamental flaw in the process. It's not a flaw of their
> | making, it's inherent in the situation. But it's still a flaw."
> `----
Whilst I agree that SELinux is overly complex, it is nonetheless a
robust solution when properly deployed and maintained.
The key to simplifying SELinux integration is for each package
maintainer to distribute a policy addendum for that package, thus
ensuring the contexts for that package are properly set.
This is not especially difficult, other than requiring an addition
testing phase for each package, and can be deployed in the RPM/DEB.
If package maintainers would adopt and follow that procedure, most of
the difficulties and criticisms regarding SELinux would disappear,
packages would "just work" with SELinux enabled, and nobody would feel
compelled to automatically disable SELinux at the first sign of
difficulty.
This does not preclude security being "part of code quality, and part of
the normal mainline development", as he later asserts. The two are not
mutually exclusive.
--
K.
http://slated.org
.----
| "OOXML is a superb standard"
| - GNU/Linux traitor, Miguel de Icaza.
`----
Fedora release 7 (Moonshine) on sky, running kernel 2.6.22.1-41.fc7
05:51:19 up 49 days, 4:46, 3 users, load average: 0.57, 0.33, 0.39
|
|
