User: Password:
Subscribe / Log in / New account



Posted Sep 23, 2004 4:30 UTC (Thu) by dvdeug (subscriber, #10998)
In reply to: Complexity by walters
Parent article: An introduction to SELinux

Good security plans are simple, in part because it's simpler to understand a simple plan, and in part because few people really enjoy working with security and will make shortcuts when it gets too complex. It doesn't matter how wonderful SELinux is and how many smartass comments you can make about real-world systems being complex, if it's too complex, then it isn't going to work for most of us.

(Log in to post comments)


Posted Sep 23, 2004 4:57 UTC (Thu) by walters (subscriber, #7396) [Link]

The point is that securing a complex system is going to be complex. There simply aren't any shortcuts.

However, as Stephen says, SELinux is very flexible, as is exemplified by the new targeted policy. The targeted policy is really quite simple, and it's *very* easy to just turn restrictions on a particular service off now with the support for runtime boolean policy changes.


Posted Sep 30, 2004 8:44 UTC (Thu) by emj (guest, #14307) [Link]

> The point is that securing a complex system is going to be complex.

Well, if setting up an ordinary multiuser shell/ftp/web server is going to be complex, then SELinux is to complex.


Posted Sep 23, 2004 6:12 UTC (Thu) by bronson (subscriber, #4806) [Link]

Well, here's a key phrase from that message:

"Being confident in the correctness of an inadequate security model doesn't help much."

If you can figure out a simple model that both works well and is demonstrably secure, you will gain fame and fortune. However, a great number of people have spent long years working on exactly this problem and there's still no magic bullet. If you're not willing to devote the time needed to create an effective security model then, well, you probably don't need one. Most people don't.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds