SELinux removed from desktop cd spin?

Gilboa Davara gilboad at gmail.com
Thu Jan 17 15:47:42 UTC 2008


On Thu, 2008-01-17 at 15:22 +0100, Valent Turkovic wrote:
> Gilboa Davara wrote:
> > On Wed, 2008-01-16 at 14:29 -0800, Andrew Farris wrote:
> >> Valent Turkovic wrote:
> > [snip]
> >> Sooner or later there WILL be increasing threats to linux and its quite possible 
> >> to have virii spread in the wild... if good protections against it are not 
> >> developed and supported now then when?  After they show up?
> > 
> > Let alone the fact the having SELinux enabled by default might
> > discourage (some) virus writers from even trying to target Linux -
> > reducing the risk even further...
> 
> What virus writers? linux desktops are that much more secure that I 
> really don't see any benefit - just the opposite for a desktop spin of 
> fodora to have such an invasive security tool as SELinux. On the server 
> every security measure is welcome.

Secure?
As I see it, you have type of threats:
A. Network facing services corruption and/or privilege escalation..
B. Local application corruption and/or privilege escalation.
C. Social engineering. (Please type the root password to install this
amazing bouncing icon applet on your machine)

You may, or may not be aware of it, but many desktop machines have open
network facing services (1), such as SMB/NFS/NTP/SSH/etc, and we -all-
open documents/spreadsheets/etc (2).

While it's true that Linux (and *BSD) users tend to be security
conscious (far more then Joe-Windows-user), making them less prune to
1,2 (and especially) 3, but having a 0-day exploit in Firefox, SMB or
SSH can be just as destructive in the Linux world, as it is in the
Windows world.

In such as case, SELinux can be the only thing standing between a hacker
and your data.

> 
> Are you really saying that there are any actual threats in the wild that 
> have spread on linux desktops?

Desktops? Less.
Servers. Sure.

> 
> I think not, and can't see that being any different in next 5 years. So 
> keep developing SELinux and test it in the non desktop spins while tools 
> mature enough to be usable to general linux users on desktop.

-FAR- too late.
SELinux is a very complicated piece of technology.
When things break, you won't have the time to start mocking around with
it.

Last and not least, one of Fedora's main selling point -is- SELinux.
If you can't be bothered to disable it (let alone learn how to
operate/fix it), you shouldn't be using Fedora in the first place.

Making user easier to use and configure? Sure.
Dumbing it down? Hell no.

- Gilboa




More information about the fedora-devel-list mailing list