No executables in /tmp
andrew.jorgensen at gmail.com
Mon Mar 27 23:13:14 MST 2006
On 3/27/06, Michael Halcrow <mike at halcrow.us> wrote:
> Personally, I would prefer the power, flexibility, and (yes)
> complexity of SE Linux over many other MAC solutions out
> there. AppArmor may be a good solution for many cases, but just
> because it is simpler does not mean that it can do a better job of
> securing a system than SE Linux can do.
Complexity is what makes a system insecure. The tradeoff need not be
between security and usability but between simplicity and flexibility.
I'm not saying, of course, that SELinux is inherantly insecure. I
don't believe that. What I do believe is that the complexity means
that it's difficult to learn and to use correctly (securely) and the
majority of admin's will never learn it. Now, some (one?) distros
provide SELinux profiles for all of their applications, but these
systems tend to be fragile. The minute you have to compile something
yourself to add some functionality the distro didn't provide, you have
to learn SELinux or it will probably break in some way. Many admins
simply turn SELinux off because they can't spend the time to learn how
to make it work for them.
More information about the PLUG