SELINUX - Why?

Timothy Murphy tim at birdsnest.maths.tcd.ie
Fri Jul 29 13:34:42 UTC 2005 

taharka wrote:

>> What I mean is, I ask "Why should I run selinux?" The answer
>> then seems to be "We don't know, but if you don't bad things
>> might happen to your system due to malicious programs."

> If you're interested, there's an excellent read on selinux, in the
> August issue of "Sys Admin Magazine". Fortunately, this article can be
> read online at: http://www.samag.com/documents/s=9820/sam0508a/0508a.htm
> :-) Might make things a little clearer for you ;-)

I read this article,
and it does indeed seem to give a reasonably clear account
of what is a rather complicated system (selinux).

I don't personally think there is any serious danger of selinux
introducing new vulnerabilities,
(a) because the authors of selinux are likely to take much more care
about such matters than the authors of other applications, and
(b) there are hundreds, if not thousands, of applications on a Linux system,
so the danger of any particular application causing security problems
is negligibly small.

However, I am not convinced that it is sensible to run selinux
on a small home network with three or four computers on it.
The problems selinux causes are out of all proportion
to the insurance it might supply.

Selinux might make sense for a large system with hundreds of users,
with a system administrator who has time to devote to such matters.

There are two issues which I have yet to be convinced about:

1. None of the documentation I have read gives any concrete example
of an intrusion that has actually occurred
and which might have been stopped by selinux.
All the examples seem to be purely theoretical.

2. If someone actually broke into my system,
it seems to me that they could do a large amount of damage,
eg destroying or altering my personal files,
regardless of what security measures I had taken.

It is rather like someone breaking into your house.
You can hide your valuables, certainly,
which I would take to be equivalent to encrypting important data.
But there is not much point in locking the drawers in your desk.

One last point, which leads me to favour selinux.
I believe selinux has been introduced largely as a Linux "selling point",
the idea being that one could now claim
Linux is far more secure than Windows.
Personally, I'm all in favour of this,
and would be willing to put up with the inconvenience of selinux
in order to further this argument.






-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

More information about the fedora-list mailing list