Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Stephen Smalley <sds <at> tycho.nsa.gov>
Subject: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
Newsgroups: gmane.linux.kernel.lsm
Date: Tuesday 18th April 2006 20:20:11 UTC (over 11 years ago)
On Tue, 2006-04-18 at 14:59 -0500, Serge E. Hallyn wrote:
> Quoting Alan Cox ([email protected]):
> > On Maw, 2006-04-18 at 09:50 -0700, Gerrit Huizenga wrote:
> > > or are there places where a "less than perfect, easy to use, good
enough"
> > > security policy?  I believe there is room for both based on the end
> > > users' needs and desires.  But that is just my opinion.
> > 
> > Poor security systems lead to less security than no security because it
> > lulls people into a false sense of security. Someone who knows their
> 
> Not wanting to make any digs one way or another, but because the culture
> right now refuses to admit it I must point out:
> 
> So does "security" which is too complicated and therefore ends up
> misconfigured (or disabled).

Not sure who refuses to admit it, but there is plenty of work in
progress to improve SELinux useability.  But that doesn't require
crippling the kernel mechanism, nor would that help.  Keep in mind as
well that SELinux "complexity" is purely a reflection of complexity in
Linux; SELinux just exposes the existing interactions and provides a way
to control them.  The SELinux mechanism itself is fairly simple.  

> The posix caps sendmail fiasco is one example.


-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 2ms