Selinux and Compiz

[Jerry Amundson]

On Sun, Oct 26, 2008 at 4:29 PM, David Nalley <david at gnsa.us> wrote:
> On Sun, Oct 26, 2008 at 3:17 PM, Ben Gamari (FOSS) <bgamari at gmail.com> wrote:
>> Or we can simply decide that sticking our collective head in the sand is
>> not an option when it comes to security, leave it enabled, and fix the
>> remaining issues. There is no reason why SELinux needs to cause any
>> issues in the vast majority of cases. Sure, if you are running a poorly
>> tested/proprietary configuration (e.g. NVidia blob) then you will
>> probably not have a completely glitch-free experience. However,
>> degrading the security of the entire platform to cater to a small subset
>> of users is simply not acceptable.
>>
>> Security-wise, we in the Linux community have been extremely lucky
>> thusfar. We represent a small percentage of Internet users and thus
>> desktop exploits aren't particularly prevalent. However, if and when
>> Linux becomes a sizeable player on the desktop/end-user space, we are
>> going to have far greater security issues. Look at Windows. Even without
>> considering the brain-dead security defaults, Windows XP is a security
>> nightmare. Many of the issues that Windows has with malware could be
>> mitigated with proper containment through MAC. Giving any application or
>> service open access to anything on the system is a recipe for disaster.
>> The fact is, the least-privilege principle simply can't realistically be
>> implemented using only a primitive user/group privilege system. A
>> perception that Linux is weak in security will only further hamper
>> future adoption.
>>
>> We have already seen early indications of the remarkable power that
>> containment holds. To disable SELinux by default would be to remove a
>> vital part of our security subsystem. Nobody can deny that there are
>> still issues, but these can be fixed and once they are, the result will
>> be a more secure computing environment for all.
>>
>> - Ben
...
> While I agree with Ben's statements - I'll also add one other comment.
> If you've ever had to report a problem with SELinux and gone to the
> quite minimal effort to file a bug listing the AVC denial errors in
> place, you'd see that Dan Walsh and company work very fast to resolve
> it. I'll admit that I have only reported problems twice (once in
> channel and once in Bugzilla) but never did I go more than 24 hours
> before a fix was available  (even if it was a koji build) (That said
> it's also relatively easy to fix on your own as well - but it's worth
> it to get the changes upstream in the targeted policy.)
> Moreover permissive domains REALLY changes the landscape.
> I wish I could remember who to attribute this to, but someone on
> -devel suggested that the same arguments occurred when firewalls were
> really starting to become commonplace - a lack of knowledge of how to
> manipulate and handle them caused repeated calls for their removal.
> Mandatory Access Control isn't going away, and is really one of the
> shining examples of Fedora leading the way with something and making
> it far easier to use than it was.

Ben, you had me at "Windows". ;-)
Thank you also, David, for reassurance on the resolution side of
things. My misconception up to now had been that bz'd selinux issues
were lumped in with everything else. Good to hear that's not the case.
And of course, my apologies to Rahul and Bruno for erring on the side
of the dramatic. I have been know, on occasion, to howl at the moon.
I'm reaching over to one of my other laptops, menu item for
s-c-selinux, good, enforcing mode, relabel yes, done.
I see this not as an end, but as a beginning! :-)

jerry

ps. Relabel is complete. logged in, wireless connected, just like any
regular day, but *safer*. Brings a bit of a tear to me eyes! :)

-- 
There's plenty of youth in America - it's time we find the "fountain of smart".