Why do I need SELinux?
Craig White
craigwhite at azapple.com
Sat Feb 19 20:29:48 UTC 2005
On Sat, 2005-02-19 at 21:01 +0100, Felipe Alfaro Solana wrote:
> On 19 Feb 2005, at 18:14, David Cary Hart wrote:
>
> > I'm running production web, mail and FTP servers and I don't appreciate
> > the value of SELinux. Someone in the DShield list referred to this as
> > "protection for the tinfoil helmet set."
> >
> > However, I do not NAT SSH nor Telnet. For that matter, the only ports
> > that are open are http, smtp, pop3 and ftp.
>
> All of them are points of attack. SELinux can protect what they can do
> in case a hacker tries to exploit them. Also POP3 and FTP are
> considered insecure as they use plain-text logins. Also, POP3 usually
> runs as root in order to access user mailboxes.
---
I don't think the daemons that serve pop3 or imap are likely to be
running as root but I guess that would probably depend upon which one
you are using.
obviously a lot of care has been given to have http/smtp/ftp daemons not
run with root privileges either.
there has been recent issues with things like phpbb which tend to need
write access for the apache user to be able to write and I would presume
then gets php to execute code to give them access to system - and it's
clear that in a situation such as this, SELinux is bound to help.
still goes back to what Joanne was talking about the other day - belts
and suspenders...security being about layers and not about single point
failure.
Craig
More information about the fedora-list
mailing list