Walsh: Introducing the SELinux Sandbox
Posted May 28, 2009 17:58 UTC (Thu) by hppnq
In reply to: Walsh: Introducing the SELinux Sandbox
Parent article: Walsh: Introducing the SELinux Sandbox
You keep seeing things black and white. So to you, with the right kernel patch (grsecurity, I presume) in place, things become "unexploitable" at one end of the spectrum, while one vulnerablity in SCTP blows away SELinux completely at the other end of the spectrum.
What I am saying is: neither grsecurity nor SELinux will give you the security you claim they do (not) provide, unless you also seriously look at other factors. This is extremely straight forward, the Five Things To Keep In Mind point this out as well. (Your rant and vulnerability disclosure in Thing 2 shines a remarkable light on the Usenix paper indeed.)
I am not sure whether I am really unclear, or whether you really don't understand what I mean, but I think I have said enough about this now.
to post comments)