SELINUX - Why?

[Paul Howarth]

Timothy Murphy wrote:
> However, I am not convinced that it is sensible to run selinux
> on a small home network with three or four computers on it.

I do this. Took a bit of fixing for FC4 with all of the new daemons 
covered by FC4's policy compared with FC3, but I'm happily running in 
enforcing mode now.

> The problems selinux causes are out of all proportion
> to the insurance it might supply.

Matter of opinion. One might say the same about running everything as root.

> Selinux might make sense for a large system with hundreds of users,
> with a system administrator who has time to devote to such matters.
> 
> There are two issues which I have yet to be convinced about:
> 
> 1. None of the documentation I have read gives any concrete example
> of an intrusion that has actually occurred
> and which might have been stopped by selinux.
> All the examples seem to be purely theoretical.

I believe the common awstats exploit wouldn't work on an SELinux-enabled 
system.

> 2. If someone actually broke into my system,
> it seems to me that they could do a large amount of damage,
> eg destroying or altering my personal files,
> regardless of what security measures I had taken.

Yes. SELinux can help to stop them breaking in the first place though.

> One last point, which leads me to favour selinux.
> I believe selinux has been introduced largely as a Linux "selling point",
> the idea being that one could now claim
> Linux is far more secure than Windows.
> Personally, I'm all in favour of this,
> and would be willing to put up with the inconvenience of selinux
> in order to further this argument.

I skipped SELinux at FC2 time (wisely, i sppears), but made an effort to 
learn about it for FC3, and am learning more in FC4. It's non-trivial, 
sure, but not as difficult to get your head round as it might first seem 
I think, particularly if you're using the targeted policy rather than 
strict.

Paul.