Re: [PEN-TEST] SELinux

From: Renaud Deraison (deraisonat_private)
Date: Sun Apr 22 2001 - 15:13:34 PDT

  • Next message: Batten, Gerald: "Re: [PEN-TEST] Web site password guessing over SSL"

    On Sun, Apr 22, 2001 at 01:49:43PM -0700, Daniel Swan wrote:
    > >From: Catalin Ionescu <cataat_private>
    >
    > >Did anybody had a chance to test SELinux patches/extension to standard Linux
    > >2.4.2 ?
    > >
    >
    > Catalin, I havn't heard anything specifically bad about SeLinux, but considering the source of this package, an American Intelligence Agency, strong caution should be exercised before installing it on machines that store sensitive or proprietary information, at least until a rigorous code audit has been done of it.
    >
    > The NSA isn't interested in the security of others, so much as it is their *insecurity*.  Using security tools written by them is like hiring babysitters from Nambla[1].
    
    
    Please be realistic. Do you really think that if the NSA really wanted
    to introduce any kind of backdoor error in Linux, they would put their name
    of it ? (and go into all the troubles of maintaining such a big software
    package that has no chance to be included in the mainstream kernel
    for quite a long time instead of a two-lines hack in
      /usr/src/linux/net/ipv4/<whatever>.c ?)
    
    
    If you _really_ want to go into conspiracie theories, you'd
    better do a background check on every individual in
    /usr/src/linux/CREDITS (and maybe check the names of the
    contributors in bind and wu-ftpd, the two most popular backdoors even
    written ;)
    
    
    				-- Renaud
    
    --
    Renaud Deraison
    The Nessus Project
    http://www.nessus.org
    



    This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 16:26:51 PDT