SELinux

[Paul Howarth]

Timothy Murphy wrote:
> Paul Howarth wrote:
> 
>>> Which level of SELinux you recommend for a personal laptop? I mean, if
>>> you are not offering any service to internet or you don't have many users
>>> and stuff is it really necessary?
>> I have SELinux enabled on *all* of my machines. But then I know how to
>> fix SELinux issues when they crop up. If it works for you when enabled,
>> you're better off having it, since it offers an additional layer of
>> protection. You don't need to have multiple users or to be offering
>> services on the Internet to get your machine compromised.
> 
> I must admit I have taken the opposite tack.
> I enabled SELinux for a while, but it caused several problems
> (which unlike Paul I had difficulty solving)
> and in the end I decided the tiny amount of protection it offered
> was simply not worth the hassle.
> 
> I'm running shorewall on my desktop (connected to the internet)
> and it seems to me - though I am no expert -
> that this offers sufficient security for my purposes.

It wouldn't protect you against a browser vulnerability triggered by 
visiting a malicious website. There are probably many other types of 
vulnerability that firewalls don't help with too.

(I'm a shorewall user myself too btw)

> I have a sneaking suspicion that SELinux is put forward,
> to some extent, as a kind of window-dressing
> to support the argument that Linux is safer than Windows.

SELinus is far from being window-dressing; when configured properly it 
is capable of restricting each process to the minimum capabilities that 
that process needs to do its job, and most exploits require that 
processes be circumvented to so something else, hence SELinux offers 
protection against those exploits.

Paul.