Why do I need SELinux?

Joel rees at ddcom.co.jp
Mon Feb 21 04:13:03 UTC 2005


Although it looks as if this thread has been beaten sufficiently to
death, I thought I'd air some of my ignorance on the subject:

The reasons I see for not using SELinux are as follows:

One, this is still in-front-of-leading-edge technology. For all that the
nsa is a major contributor, it needs a lot of debugging.

Two, I know that mis-configuration can result in reduced security, and I
haven't had time to learn the configuration yet. I paticularly worry
about getting the system-level policy right for the kinds of things I do.

Three, I'm not confident that ACLs are as effective as they are said to
be, and I know how to set up the equivalent of ACLs using standard unix
permissions, and that does cover most of my needs. 

(I know some common implementations of ACLs are a couple of dollars
short. When I can get the time to study the current implementation in
SELinux, I may change my mind about this point.)

The reasons I see for "normal home users" using SELinux are as follows:

One, IP spoofing. Even assuming your firewall is correctly set to block
packets coming from outside with local range IP source addresses, if you
lose one box inside, filtering ssh access based on IP address is going
to fail. (And I really _do_ want to ssh in from outside, anyway.)

Two, you're bound to want to run something that you don't really want to
trust the whole system to, which at some point will want access to
something that gives it more potential access than you want it to have,
say something in /etc , and ACLs and policies should give you the
opportunity to at least try to limit the evil that could be done.

Three, geeks are human.

Four, if Linux users don't debug SELinux, who will?

And it's number four that would win in my case, if I had the extra
hardware. 

The home systems of members of this mail list are probably as good a
debug environment as could be hoped for, in terms of making this kind of
technology available to _real_ normal users.

--
Joel Rees   <rees at ddcom.co.jp>
digitcom, inc.   株式会社デジコム
Kobe, Japan   +81-78-672-8800
** <http://www.ddcom.co.jp> **




More information about the fedora-list mailing list