Ask HN: Can We Really Trust SELinux?

6 points by grumps ↗ HN
I apologize now if you happen to be a maintainer for SELinux and you happen to be reading this and take offense by it.

I realize you can't really trust anyone and that three letter agencies have their hands in everything. I also know that there's been many posts about the Intel's random number generators and various other backdoors. I also don't have a solid understand of SELinux at the moment. I do know of it and that it's very commonly used.

I do a double take when a see the incorporation of software that was originally developed by the NSA, does anyone else feel that this really is worth a further examination by independent sources? Maybe it is, and maybe this is just a dumb question. I'd just like some thoughts...

5 comments

[ 3.7 ms ] story [ 24.4 ms ] thread
Go read the source code and decide for yourself.

Even if we didn't "trust" SELinux it is irrelevant as SELinux is primarily used as a secondary security layer, with the primary being things like firewalls and internal software functionality.

The majority of the people who are concerned about SELinux literally don't understand what SELinux is or does. You couldn't understand SELinux and at the same time be concerned that it was a backdoor into the Linux OS.

And if you are technically literate enough to understand SELinux and are still concerned then go literally inspect the code yourself and find the backdoors.

I also don't have a solid understand of SELinux at the moment.

don't you think it might be best to fix that before you ask such an expansive question?

it's an optional access control system. when enabled it adds security to a system.

it's open source. it's also only one of a bunch of alternatives - people are also free to use apparmor, or even smack or tomoyo.

does anyone else feel that this really is worth a further examination by independent sources?

no.

It's open source though. Really, if you can't "trust" SELinux then you cant "trust" the entire open source community.
No, you can't trust it. Just as TOR requires special scrutiny because the US Navy provides something like 2/3 of its funding, SELinux requires special scrutiny because people who want to read your email provide it.

The NSA would not trust code provided to it for free by the Russians. You should not trust code provided to you by the NSA.

However, there's a pretty good chance that SELinux does what it says on the tin, and they're releasing it because:

1) It helps keep the Chinese out of some low-level secure systems 2) It does not keep the NSA out of anything they care about

But security is not just about code, it's about intention, politics, systems, side-effects and so on.

We're all living in a spy thriller now, where unseen people watch our every move online, and use vast machines to correlate our profiles with their ideas of risk. That's the live that you and I live.

Paranoia is normal.