SELinux: Tradeoff and "felt" vs. "real" security

Hi Jonathan,

there are at least two different angles regarding SELinux in the context of Bruce LCA keynote:
The nature of security being a tradeoff and the difference between "felt" and "real" security.

If you consider security as a tradeoff, then the fact that SELinux is rather infrequently
deployed is at least a hint toward SELinux being a bad tradeoff: Most people (and I mean
professional sysadmins) tend to think, that the added complexity of SELinux is likely not the
cause of more security - quite the converse.  If you (as a sysadmin) do not understand how
things work an why, you will make bad decisions, and that will make your "real" security
worse.

That does not mean that SELinux is "not secure" - if you are in need of a bulletproof vest,
then please use it!  You have to learn all the necessary stuff about SELinux and you have to
deploy it in a thought out manner, and it will increase your security (considerably!).  But
for most security needs, the tradeoff is bad.

You state that "a system running SELinux may, in fact, be highly secure".  I would like to
stress the "may": You just need a small error in your ACLs (which is easily done and not so
easy to detected) or in one of the many SELinux knobs to play with, and your security turns
from "real" to purely "felt".  And while "felt" security is relevant as Bruce points out,
"felt" without "real" is a real problem :)


regards, thias

PS: I'm a "first day" subscriber and a quite happy one!  Since the topics of Bruce keynote
touch my professional habitat, I just felt the need to comment for the first time :)  Please
keep up the good work at LWN.