[ale] Distro Reply

Jonathan Rickman jrickman at gmail.com
Tue Jan 4 02:14:02 EST 2005


On Mon, 03 Jan 2005 23:18:39 -0500, James P. Kinney III
<jkinney at localnetsolutions.com> wrote:

> As long as the XP weak link is out of the picture, SELinux makes the
> system _VERY_ hardened from internal and external attacks.

Just because I can't resist playing the advocate for the evil one, and
because I happen to know a thing or twenty about windows security...

On what basis do you believe that a properly configured SELinux is
superior to a properly configured Windows XP SP2 machine. Both Windows
and Linux are prone to having buggy code. So setting that aside and
just taking for granted that there are no flaws (totally hypothetical
here now) in the code used to generate the software in the first
place, what exactly does SELinux offer in the way of security features
that Windows XP with SP2 and an appropriate local security policy
and/or AD group policy lacks?

I know the technical answers already so there's no need to start a
discussion of MAC vs. DAC, but I'm not seeing the practical
application outside of certain defense related environments. I pretty
much know the HIPAA regs inside and out, or at least I did a year ago
when I still had some interest in it all. There is no requirement for
data labeling or mandatory access controls that is typically seen in
the .mil/.gov arena. Those are really the only practical features
missing from Windows, so I fail to see the justification for using
SELinux to satisfy some imaginary HIPAA requirement. Using that as an
argument against Windows in healthcare is a slippery slope when you
consider how terribly incomplete SELinux is in the framework of the
distributions that make use of it. Comparing it to something like
Trusted Solaris reveals this immediately. SELinux is not a magic
bullet, though it is fairly useful on the server side at the present
time.

--
Jonathan



More information about the Ale mailing list