[rhelv6-list] selinux (not quite) disabled?

Sat Dec 4 16:41:00 UTC 2010

On Friday, December 03, 2010 09:16:13 am Greg_Swift at aotx.uscourts.gov wrote:
> i'm not saying I've succeeded in convincing people to let me run SELinux in
> enforcing anywhere, but think about the argument you just made:
> 
> "I've got it [SELinux] enabled on my desktop and laptops", which while
> useful, aren't as ready of targets for hackers (we are talking Linux not
> Windows)..  Desk/laptop environments are also more broad and varied in
> software that is run and the potential that you will run into SELinux
> issues (such as jch's dropbox issue).

As desktop use is probably going to involve web browsing (either on an intranet site, or the Internet), and perhaps PDF files enter the picture, and as those are the prime vectors for attacks, and as much personal information as can be swiped is the new target of data thieves, the desktop should be locked down tighter in many ways than the server.

I don't care if my desktop gets rooted as much as I care whether a web/flash/PDF exploit just made off with banking/credit card/tax/other financial details and files. (Of course I do care if it gets rooted; but with a proper SELinux policy in place it would be possible to keep root away from my files, too, for that matter; I just care more if an identity thief meets success without rooting my desktop).

SELinux is the ideal tool to keep PDF readers like Adobe Reader away from anything but PDF files and unable to write to anything except to save a file that doesn't already exist, or to only save things in certain places for triage/scanning.  It's the ideal thing to keep Flash from even accessing ~/Documents, or for Firefox to only be able to write to .mozilla and maybe ~/Downloads, and not to be able to read from anywhere unless the user gives specific permission to do so.  The desktop-oriented tools aren't quite up to the usability needs of that use case, unfortunately, although they are getting better.

Yes, there will be issues that arise.  But if SELinux can keep a Firefox/Opera/Chrome exploit from working, or better, from gaining root, then it's a win, even if it's inconvenient at times.

I know the bias is typically towards servers as being the most attractive targets; no, at this point I think mobile is going to be the most attractive target, with desktops a close second and servers in third place.  

IMHO, of course, and YMMV.