[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELINUX - Why?



Timothy Murphy wrote:
However, I am not convinced that it is sensible to run selinux
on a small home network with three or four computers on it.

I do this. Took a bit of fixing for FC4 with all of the new daemons covered by FC4's policy compared with FC3, but I'm happily running in enforcing mode now.


The problems selinux causes are out of all proportion
to the insurance it might supply.

Matter of opinion. One might say the same about running everything as root.

Selinux might make sense for a large system with hundreds of users,
with a system administrator who has time to devote to such matters.

There are two issues which I have yet to be convinced about:

1. None of the documentation I have read gives any concrete example
of an intrusion that has actually occurred
and which might have been stopped by selinux.
All the examples seem to be purely theoretical.

I believe the common awstats exploit wouldn't work on an SELinux-enabled system.


2. If someone actually broke into my system,
it seems to me that they could do a large amount of damage,
eg destroying or altering my personal files,
regardless of what security measures I had taken.

Yes. SELinux can help to stop them breaking in the first place though.

One last point, which leads me to favour selinux.
I believe selinux has been introduced largely as a Linux "selling point",
the idea being that one could now claim
Linux is far more secure than Windows.
Personally, I'm all in favour of this,
and would be willing to put up with the inconvenience of selinux
in order to further this argument.

I skipped SELinux at FC2 time (wisely, i sppears), but made an effort to learn about it for FC3, and am learning more in FC4. It's non-trivial, sure, but not as difficult to get your head round as it might first seem I think, particularly if you're using the targeted policy rather than strict.


Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]