

Ask HN: Can We Really Trust SELinux? - grumps

I apologize now if you happen to be a maintainer for SELinux and you happen to be reading this and take offense by it.<p>I realize you <i>can&#x27;t</i> really trust anyone and that three letter agencies have their hands in everything. I also know that there&#x27;s been many posts about the Intel&#x27;s random number generators and various other backdoors. I also don&#x27;t have a solid understand of SELinux at the moment.  I do know of it and that it&#x27;s very commonly used.<p>I do a double take when a see the incorporation of software that was originally developed by the NSA, does anyone else feel that this really is worth a further examination by independent sources?  Maybe it is, and maybe this is just a dumb question.  I&#x27;d just like some thoughts...
======
andrewcooke
_I also don 't have a solid understand of SELinux at the moment._

don't you think it might be best to fix that before you ask such an expansive
question?

it's an _optional_ access control system. when enabled it _adds_ security to a
system.

it's open source. it's also only one of a bunch of alternatives - people are
also free to use apparmor, or even smack or tomoyo.

 _does anyone else feel that this really is worth a further examination by
independent sources?_

no.

------
UnoriginalGuy
Go read the source code and decide for yourself.

Even if we didn't "trust" SELinux it is irrelevant as SELinux is primarily
used as a secondary security layer, with the primary being things like
firewalls and internal software functionality.

The majority of the people who are concerned about SELinux literally don't
understand what SELinux is or does. You couldn't understand SELinux and at the
same time be concerned that it was a backdoor into the Linux OS.

And if you are technically literate enough to understand SELinux and are still
concerned then go literally inspect the code yourself and find the backdoors.

------
leashless
No, you can't trust it. Just as TOR requires special scrutiny because the US
Navy provides something like 2/3 of its funding, SELinux requires special
scrutiny because people who want to read your email provide it.

The NSA would not trust code provided to it for free by the Russians. You
should not trust code provided to you by the NSA.

However, there's a pretty good chance that SELinux does what it says on the
tin, and they're releasing it because:

1) It helps keep the Chinese out of some low-level secure systems 2) It does
not keep the NSA out of anything they care about

But security is not just about code, it's about intention, politics, systems,
side-effects and so on.

We're all living in a spy thriller now, where unseen people watch our every
move online, and use vast machines to correlate our profiles with their ideas
of risk. That's the live that you and I live.

Paranoia is normal.

------
grumps
I just started some Googling - and I see some posts like this that claim it's
not [http://www.cyanogenmod.org/blog/this-week-in-cm-
july-19-13](http://www.cyanogenmod.org/blog/this-week-in-cm-july-19-13)

My real question out there is for the Kernel and Linux gurus.

------
krapp
It's open source though. Really, if you can't "trust" SELinux then you cant
"trust" the entire open source community.

