A great article on why to use SeLinux
Daniel J Walsh
dwalsh at redhat.com
Fri Feb 29 14:46:19 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
klybear wrote:
> On Thu, 28 Feb 2008 09:31:05 +0900, John Summerfield wrote:
>
>> The only penetrations I've seen arrived by ssh. I don't think selinux
>> would have helped there; the sorts of restrictions I can think of would
>> also prevent the user from doing what users ought be able to do such as
>> download stuff (including email), sending email and so forth.
Some attacks can be prevented with SELinux and ssh although it is just
recently gaining confinement. If someone out there wanted to experiment
with using SELinux to further confine ssh, it might be an interesting
experiment, (any university student looking for a project?) SSH
currently has privledge separation which we could take further advantage
of with SELinux and the setcon call, but no one as done this yet.
SELinux will prevent things like buffer overflows in ssh via the
execmem/execmod/execstack/execheap prevention. It also stops attacks
like grabbing the /etc/shadow file without a password.
>
> I'm new full time linux user, having temped with one or two distros in
> the past, and I have to say that my experience of selinux has been
> frustrating. I never had any Selinux issues with Ubuntu or Debian, but
> since using Fedora, three of the four problems I've solved so far turned
> out to be related selinux permissions and the fourth one I'm still
> working on :)
>
What problems are you having with SELinux? Have you reported them in
Bugzilla?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfIGrsACgkQrlYvE4MpobPERwCgm/bOYFUVk/+81hudROJlRJP2
wHkAoLdlbwhfuvexXp4f9N6rP6i2dmou
=7AOh
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list