SElinux on upgraded machines

[Ben Gamari]

On Fri, 2008-12-12 at 06:21 -0500, Leam Hall wrote:
> So far I've avoided the issue by turning SELinux off. While I think
> SELinux is a great idea for advanced users and servers it seems to make
> new user transitions difficult. 
> 
> I wonder if making SELinux default to "disabled" if the install selects
> the Desktop/Office Suite group makes sense? 

Absolutely not. People seem to have this notion that SELinux will only
help servers and advanced workstations, where in fact, the situation is
exactly the opposite. Desktop installations are in greatest need of the
protections afforded by SELinux.

First, I think it is safe to say that server software developers are
generally far more mindful of security in their development cycle than
are those of desktop software. All of those potentially unchecked
buffers in the gobject code of gnome are a rather frightening prospect
(although the fact that they run as an unprivileged user makes this a
little more bearable).

An inexperienced (i.e. typical) desktop user pays little heed to the
content of what they download, will trust just about anything that comes
to their inbox, and will generally inadvertently do their best to break
the security of their system. For this reason, SELinux is extremely
important in the common desktop case.

Finally, these users generally have the most main-stream workflows (e.g.
Internet, email, and word processing) and thus are some of the least
likely to break SELinux.

I believe that maintaining a usable SELinux infrastructure is absolutely
critical to the long-term security of the Linux desktop. If and when we
begin to represent an appreciable user base, there will be no shortage
of people seeking to test our security, but these won't be nearly as
innocuous as the code reviewers who currently catch our security holes.
For this reason, the second layer of protection provided by SELinux is
crucial.

- Ben