SELINUX - Why?
Ralf Corsepius
rc040203 at freenet.de
Fri Jul 29 15:54:29 UTC 2005
On Fri, 2005-07-29 at 09:52 -0400, Daniel J Walsh wrote:
> Targeted policy goal is to protect Userspace from system space. So we
> try to lock down all of system space into individual vaults or
> compartments. So if someone breaks into you personal apache web
> server/ftp server and gains a shell account. They can not gain access
> to other parts of the system. With targeted policy, userspace should be
> unaffected, so it you shouldn't really notice SELinux is running.
Unfortunately, reality is different. Many tiny little problems related
to SELinux interfere all over the place.
My answer template to the original question:
ATM, SELinux is a promising approach, but still has rough edges.
- If you are willing and able to cope with small probs, you might like
it as it could once safe your system/data.
- If you are not able or willing to cope with these probs, switch it
off. Your system won't be more vulnerable than most other Linux/Unix
systems around, these days.
Future will show, if SELinux is viable.
Ralf
More information about the fedora-list
mailing list