From: Russell Coker <russell@coker.com.au>
To: <mayerf@tresys.com>,
"'Joshua D. Guttman disp: current'" <guttman@mitre.org>,
"'Karl MacMillan'" <kmacmillan@tresys.com>
Cc: "'SELinux List'" <SELinux@tycho.nsa.gov>,
"'Stephen D. Smalley'" <sds@epoch.ncsc.mil>,
"'Amy L. Herzog'" <aherzog@mitre.org>,
"'John D. Ramsdell'" <ramsdell@mitre.org>,
"'Galen B. Williamson'" <gwilliam@mitre.org>,
"'Grant M. Wagner'" <gmw@tycho.ncsc.mil>,
"'David Caplan'" <dac@tresys.com>
Subject: Re: Announce: SELinux conditional policy extensions
Date: Sat, 14 Feb 2004 14:51:07 +1100 [thread overview]
Message-ID: <200402141451.08044.russell@coker.com.au> (raw)
In-Reply-To: <000c01c3f265$9139f860$020d010a@columbia.tresys.com>
On Sat, 14 Feb 2004 06:14, "Frank Mayer" <mayerf@tresys.com> wrote:
> 2) Because SE Linux introduced "pragmatic" mandatory security to the world,
> and it seems to be having success after our decades of failure of finding a
> means to introduce strong mandatory security to the "mainstream." My
> observations to date are very few are concerned (rightly or wrongly) with
> rigorous policy analysis, and are more concerned with a practical mechanism
> to provide greater least privilege and system hardening.
Yes, this is an issue that can not be under-estimated.
Currently my work is tending towards providing less protection so that it is
more acceptable to the majority of users. My personal preference of the
trade-off between security and usability is to have more security than most
people will be prepared to accept. But we have to do what's necessary to get
the user-base.
When we get SE Linux in wide-spread use with a less restrictive policy it will
be much easier for everyone who is interested in security. Taking a system
that's running SE Linux in a less restrictive manner and reconfiguring it to
be more restrictive is easy, installing SE Linux on a server that has not run
it before is much more difficult.
I would like to see at least 30% of university students who are enthusiastic
about Linux using SE Linux! Then in a few years time there will be a good
user-base of people who know how SE Linux works and have a good general
knowledge of security.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-02-14 3:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-22 22:47 Announce: SELinux conditional policy extensions Karl MacMillan
2004-02-13 1:22 ` Joshua D. Guttman
2004-02-13 5:19 ` Colin Walters
2004-02-13 14:43 ` Stephen Smalley
2004-02-13 19:24 ` Frank Mayer
2004-02-13 19:14 ` Frank Mayer
2004-02-14 3:51 ` Russell Coker [this message]
2004-02-20 13:05 ` John D. Ramsdell
2004-02-20 13:23 ` Stephen Smalley
2004-02-20 14:46 ` Frank Mayer
2004-02-20 15:14 ` John D. Ramsdell
2004-02-16 21:20 ` Joshua D. Guttman
2004-02-17 1:50 ` Frank Mayer
2004-02-20 11:21 ` Announce: Slat 1.1.0 with policy deconditionalizer John D. Ramsdell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200402141451.08044.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=SELinux@tycho.nsa.gov \
--cc=aherzog@mitre.org \
--cc=dac@tresys.com \
--cc=gmw@tycho.ncsc.mil \
--cc=guttman@mitre.org \
--cc=gwilliam@mitre.org \
--cc=kmacmillan@tresys.com \
--cc=mayerf@tresys.com \
--cc=ramsdell@mitre.org \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.