Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 18, 2011 16:35 UTC (Thu) by jspaleta (subscriber, #50639)
Parent article: Cox: Six years of Red Hat Enterprise Linux 4

Just in case Mr. Cox is still reading along in the comment thread.

You know what I would find interesting? I'd like to see a similar broadside which looks at the vulnerabilities in terms of the value of selinux to mitigate risk to security issues.

The information with regard to selinux impact is in the text of each security notice from RH, but you kinda have to dig for it to get a sense of how valuable selinux is to risk mitigation. And buried information like that is is a wasted opportunity to communicate the value of the tech more widely. There is probably some utility in writing up a broadside that communicates the real world impact on relying on the default selinux policy.

Specific questions I'd like to see answered in an selinux impact broadside.

1)What is the quantifiable difference in vulnerability risk for a RHEL 4 system with default selinux policy enabled versus an selinux disabled system over the full 6 years?

2)How many vulnerabilities which were not mitigated by default selinux policy could have been avoided with more restrictive policy adjustments? And what are the functionality tradeoffs in each case?

-jef

Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 21, 2011 8:53 UTC (Sun) by farnz (subscriber, #17727) [Link]

One slight enhancement to your second request; RHEL supports targeted SELinux policy, but also has a strict policy. How many vulnerabilities would have been mitigated by SELinux strict policy, but not by the supported targeted policy?