[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux removed from desktop cd spin?



On Wed, Jan 16, 2008 at 09:19:38PM +0100, Valent Turkovic wrote:
> On Jan 16, 2008 9:03 PM, Daniel P. Berrange <berrange redhat com> wrote:
> > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > > Hi,
> > > I believe that SELinux is a great linux server security hardening tool
> > > but that has little use in desktop linux usage and it confuses
> > > ordinary desktop users.
> >
> > It is of great use in a desktop spin. On my 'desktop' install for my
> > laptop I have many many system daemons running under a confined domain
> 
> You, of course, will always have the ability to choose to install it
> and use it.
> 
> > > If it hasn't been discussed before I would like to propose that on
> > > desktop cd spin SELinux is not installed by default, of course after
> > > discussion and approval from you (fedora devels).
> >
> > No. SELinux provides very real & important protection for desktop users.
> 
> Can you give me examples of this protection over fedora 9 without
> SELInux or with SELinux in permissive mode?

Yes. SELinux mitigated against the recent HPLIP security flaw which
would have allowed arbitrary code execution as root.

  http://james-morris.livejournal.com/25140.html
  https://rhn.redhat.com/errata/RHSA-2007-0960.html

There have been other similar scenarios where security flaws have been
prevented, or their damage mitigated by presence of SELinux

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]