SELINUX - Why?
Paul Howarth
paul at city-fan.org
Fri Jul 29 13:46:28 UTC 2005
Timothy Murphy wrote:
> However, I am not convinced that it is sensible to run selinux
> on a small home network with three or four computers on it.
I do this. Took a bit of fixing for FC4 with all of the new daemons
covered by FC4's policy compared with FC3, but I'm happily running in
enforcing mode now.
> The problems selinux causes are out of all proportion
> to the insurance it might supply.
Matter of opinion. One might say the same about running everything as root.
> Selinux might make sense for a large system with hundreds of users,
> with a system administrator who has time to devote to such matters.
>
> There are two issues which I have yet to be convinced about:
>
> 1. None of the documentation I have read gives any concrete example
> of an intrusion that has actually occurred
> and which might have been stopped by selinux.
> All the examples seem to be purely theoretical.
I believe the common awstats exploit wouldn't work on an SELinux-enabled
system.
> 2. If someone actually broke into my system,
> it seems to me that they could do a large amount of damage,
> eg destroying or altering my personal files,
> regardless of what security measures I had taken.
Yes. SELinux can help to stop them breaking in the first place though.
> One last point, which leads me to favour selinux.
> I believe selinux has been introduced largely as a Linux "selling point",
> the idea being that one could now claim
> Linux is far more secure than Windows.
> Personally, I'm all in favour of this,
> and would be willing to put up with the inconvenience of selinux
> in order to further this argument.
I skipped SELinux at FC2 time (wisely, i sppears), but made an effort to
learn about it for FC3, and am learning more in FC4. It's non-trivial,
sure, but not as difficult to get your head round as it might first seem
I think, particularly if you're using the targeted policy rather than
strict.
Paul.
More information about the fedora-list
mailing list