Why do I need SELinux?
Felipe Alfaro Solana
lkml at mac.com
Sun Feb 20 12:48:39 UTC 2005
On 19 Feb 2005, at 21:29, Craig White wrote:
> On Sat, 2005-02-19 at 21:01 +0100, Felipe Alfaro Solana wrote:
>> On 19 Feb 2005, at 18:14, David Cary Hart wrote:
>>
>>> I'm running production web, mail and FTP servers and I don't
>>> appreciate
>>> the value of SELinux. Someone in the DShield list referred to this as
>>> "protection for the tinfoil helmet set."
>>>
>>> However, I do not NAT SSH nor Telnet. For that matter, the only ports
>>> that are open are http, smtp, pop3 and ftp.
>>
>> All of them are points of attack. SELinux can protect what they can do
>> in case a hacker tries to exploit them. Also POP3 and FTP are
>> considered insecure as they use plain-text logins. Also, POP3 usually
>> runs as root in order to access user mailboxes.
> ---
> I don't think the daemons that serve pop3 or imap are likely to be
> running as root but I guess that would probably depend upon which one
> you are using.
That's why I said *usually* ;-) AFAIK, cyrus-imapd is the only one that
uses a special DB backend, instead of maildirs and thus can run, and
indeed it does, as a normal user. Don't know for dovecot, but others I
tried in the past required to run as root.
More information about the fedora-list
mailing list