A great article on why to use SeLinux
debian at herakles.homelinux.org
Thu Feb 28 00:31:05 UTC 2008
Lamar Owen wrote:
> On Tuesday 26 February 2008, Jim wrote:
> Folks who doubt SELinux's ultimate value need to read this article. It is an
> excellent case for why to do this.
> And given that the first compromised software (HP's software) is more of a
> workstation software, SELinux can/could prevent your Linux desktop from
> becoming a zombie/bot just like the poor Windows boxes become.
> SELinux: not just for servers anymore.
> Inconveniences aside, if workstation/desktop software (like firefox,
> evolution, kmail, etc) can be exploited and turn a Linux desktop/laptop into
> a botnet zombie without SELinux, then it seems to me that we collectively
> need to work on making SELinux work properly so that Linux doesn't get the
> same black eye that Windows has for botnet purposes. Hrmph, a Linux box,
> with all the typical dev tools installed, would make a ten times better
> botnet zombie than Windows anyway!
The only penetrations I've seen arrived by ssh. I don't think selinux
would have helped there; the sorts of restrictions I can think of would
also prevent the user from doing what users ought be able to do such as
download stuff (including email), sending email and so forth.
Still need good traditional security - sound passwords, VPNs, don't
allow more dangerous service such as ssh listen for connexions from
I've always thought the idea of selinux a good one, but it seems to me
overly complex. And the implementation in f9alfa is fairly disastrous.
(depending on what one needs to do).
More information about the fedora-list