On Tue, Sep 10, 2013 at 12:45:19PM +1000, Trent W. Buck wrote:
Jason White <jason@jasonjgw.net> writes:
Trent W. Buck <trentbuck@gmail.com> wrote:
Robin Humble <rjh+luv@cita.utoronto.ca> writes:
Android 4.3 has started using selinux. do we really trust android vendors to be on top of complex selinux configs or would we be better off with it err, off? If you're running Frobozz distro and you don't trust Frobozz, Inc. to get security right, maybe you should pick a different distro.
exactly. do you trust samsung's coding abilities? http://www.androidpolice.com/2012/12/16/samsung-exynos-4-exploit-discovered-... people who fail at that level can't be trusted at all. yet plenty of folks still buy samsung phones... which is fine as long as you don't run samsung's buggy android version on it.
Having said that, if he's concerned about SELinux complexity, he should compile Linux without SELinux (rather that compiling it in and then disabling it) -- or run a simpler kernel entirely (e.g. OpenBSD's).
yup, sometimes I just don't compile it into the kernels. I see selinux as implementing bad practice. if daemons and apps aren't secure on their own then papering over that with a complex set of empirical behaviour checks isn't really going to help very much. in fact it's counter productive as it hides the real problems while adding complexity (ie. bugs) and a false sense of security. have there been many (any?) real world examples of selinux stopping attacks? I'm happy to hear success stories 'cos all I know at the moment is that it's caused a lot of admin grief and opened up at least one security hole. cheers, robin