Why do I need SELinux?
James Wilkinson
james at westexe.demon.co.uk
Mon Feb 21 13:25:40 UTC 2005
Timothy Murphy wrote:
> But does _everyone_ need SELinux?
> I'm willing to be convinced, but I haven't been yet.
>
> I think I am probably a typical home user,
> perhaps with a bit more equipment than normal.
With the current implementation, you may have a point.
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2764702
says that:
> Currently, the list of daemons is dhcpd, httpd (apache.te), named,
> nscd, ntpd, portmap, snmpd, squid, and syslogd
Home users probably shouldn't be running httpd, named, or snmpd. Unless
they've got NFS set up they shouldn't be running portmap. Squid, nscd,
ntpd and dhcpd are optional, depending on what you're doing. In fact,
the only daemon that pretty well everyone will be running is syslogd.
Even with SELinux, it's still (theoretically) safer not to have services
running (or installed) at all.
So SELinux buys you some extra protection on syslogd. This is good, in
case you misconfigure your firewall AND you configure syslogd to listen
to the network AND there's a hole in syslogd, OR an attacker manages to
get some application to log precisely what the attacker wants AND
there's a suitable hole in syslogd.
Yes, it buys extra protection. But *in this case*, especially if you're
not concerned about malicious local users, there isn't much extra
protection.
On the flip side, similar logic means that SELinux should only have
negative effects on syslogd, so why not turn it on?
James.
--
James Wilkinson | USER ERROR: replace user and press any key
Exeter Devon UK | to continue.
E-mail address: james |
@westexe.demon.co.uk |
More information about the fedora-list
mailing list