How best get rid of SELinux?

Alan Cox alan at lxorguk.ukuu.org.uk
Fri Sep 21 16:08:40 UTC 2007


> Why do the supposed selinux functions, if 10,000% less important than a 
> firewall (my personal estimation anyway) seem to take 10,000 times more 
> maintenance than the far more important firewall?

They solve a harder problem. And actually when we first turned on
firewalling by default a similar thing occurred until howtos and the like
to tweak it appeared

Its solving a very different problem. Firewalls stop attacks against the
host from outside inwards. Modern attacks are all based on things like
web page flaws, and user stupidity because both of those bypass firewalls.

Since the bad guys can't get in via services they wait for you to come to
them and try and break through your web browser, or they mail you and try
to break your mail client or have you do dumb things like save a PDF file
then read it with acroread without forcing safe mode.

SELinux helps contain these types of attack. Its one of about five
differing things going on - all of which broke something on the way - NX
broke miswritten apps, non-exec elsewhere broke stuff, and so on.

Alan




More information about the fedora-list mailing list