SELinux removed from desktop cd spin?
Valent Turkovic
valent.turkovic at gmail.com
Wed Jan 16 20:35:54 UTC 2008
On Jan 16, 2008 9:25 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Wed, Jan 16, 2008 at 09:19:38PM +0100, Valent Turkovic wrote:
> > On Jan 16, 2008 9:03 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> > > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > > > Hi,
> > > > I believe that SELinux is a great linux server security hardening tool
> > > > but that has little use in desktop linux usage and it confuses
> > > > ordinary desktop users.
> > >
> > > It is of great use in a desktop spin. On my 'desktop' install for my
> > > laptop I have many many system daemons running under a confined domain
> >
> > You, of course, will always have the ability to choose to install it
> > and use it.
> >
> > > > If it hasn't been discussed before I would like to propose that on
> > > > desktop cd spin SELinux is not installed by default, of course after
> > > > discussion and approval from you (fedora devels).
> > >
> > > No. SELinux provides very real & important protection for desktop users.
> >
> > Can you give me examples of this protection over fedora 9 without
> > SELInux or with SELinux in permissive mode?
>
> Yes. SELinux mitigated against the recent HPLIP security flaw which
> would have allowed arbitrary code execution as root.
>
> http://james-morris.livejournal.com/25140.html
> https://rhn.redhat.com/errata/RHSA-2007-0960.html
>
> There have been other similar scenarios where security flaws have been
> prevented, or their damage mitigated by presence of SELinux
>
>
> Dan.
Dan you are taking this the wrong way. Of course SElinux is great, of
course it prevents from 0day exploits, no body is challenging that.
But what was the real threat to average desktop users? Has anybody
made use of this 0day exploit threat? is there a linux virus in the
wild that spread like wildfire that took down all desktops that didn't
use SELinux?
It is a question of cost and benefit. I argue that SELinux makes much
more trouble that it saves people from real danger in desktop
enviroment. Ofcourse that you need it in corporate enviroment and if
you use Fedora as corporate desktop you should enable it - but don't
make it default for them - especially if most of the people using it
won't understand cryptic messages that it gives :(
If fedora is used as testing ground for redhat corporate desktop then
I understand the decision to make it on by default but if you really
want average home desktop users to have a pleasant linux experience I
really see no point in SELinux.
Valent.
--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic
More information about the fedora-devel-list
mailing list