Selinux
Wayne Feick
waf at brunz.org
Sun Nov 30 16:58:21 UTC 2008
On Sat, 2008-11-29 at 17:47 -0800, Russell Miller wrote:
> This does strike me as a little sloppy. If Fedora installs it,
> shouldn't Fedora set selinux to allow it? Maybe I'm missing something...
Not necessarily. For example, when you enable Samba, you have to further
enable an selinux setting if you're going to be sharing home directories
via Samba. Otherwise, the requests are rejected by default. The idea
here is that while a particular program may allow a variety of things to
be done, you can use selinux to block things in a fine grained way,
external to that program.
Why is this better than just not configuring the program to do things
you don't want in the first place? The answer to that is the program
itself might get subverted through something like a buffer overwrite.
Generally speaking, in the security world you default to the most
restrictive behavior and administrators loosen up the restrictions as
needed. This, of course, tends to annoy everyday users who don't realize
all the insecurities of what they want to do, and just want it to work.
I mean, all those flashing red lights and sirens can be annoying when
all I want to do is start a little campfire over there next to the gas
cans.
Make sense?
Wayne.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081130/e97495a7/attachment-0001.htm>
More information about the fedora-list
mailing list