So, because people were arguing in the comments of my last postabout things along the lines of “it’s easy to fix the bug” and that was not the problem I’m even interested in, let me do a new post outlining the problem I’m interested in.
Here’s the case: I have a security system that is supposed to protect me. Now I want to run a program. Not just any program, but something that I consider kind of important. And now the security system says “I’m afraid I can’t do that.” The program says “Please run $CRYPTIC to allow this.” What do I do?
Essentially there’s 3 things I can do:
- Trust the security system
- Trust the violator
- Trust myself
Now let’s dissect the choices. Choice (1) is what I want to do and how I use my computer. But that only works if the system doesn’t break things on purpose.
Choice (2) is a no-brainer. The violating program is the potential attacker that must be stopped. I don’t want to trust it.
Choice (3) is complicated, because it requires that I educate myself and am aware of what all the programs are doing on my computer right this moment. This is the approach that everybody seems to advocate I should do. There is nuanced ways in which people suggest I’d do it, but in the end everybody wants to make me decide.
I’d like to add some more examples where we have to figure out how to do things, so we’re not talking just about SELinux vs applications:
- My browser vs SSL certificates
- My browser vs malware sites
- My email program vs binary attachments
- My distribution vs random binaries on the Internet
- My package manager vs –nogpgcheck
- Fences vs where I want to go
- “Do not every give your SSN to anyone” vs the real world
In all those cases, we all put varying levels of trust in the security system. Of course, those trust relationships can change over time. But generally, nobody takes a security system seriously that requires exceptions to make work normally. And if I can’t take my security system seriously, I might as well disable it, because it’ll save me from babysitting it all the time. And unless SELinux takes an effort to be taken seriously by me, I will continue to do just that.