On Mon, 2004-11-15 at 08:11 -0800, Dave Roberts wrote:
> Okay, so I'm sitting here with a nice, stable FC1 configuration. Today,
> it has seen uptime of over two months. In short, works great.
>
> I decided the other day that I should probably upgrade to FC3. I skipped
> FC2 since FC1 was still getting security updates and I didn't have a big
> reason to change. Also, with the first appearance of kernel 2.6.x in
> FC2, I just decided to let the kinks get worked out. Now that FC1
> stopped getting security updates, I figured it was time to move along.
>
> Now, of course, FC3 includes SELinux as an installation option. This is
> both interesting to me and also the potential for a problem since:
> 1. SELinux is relatively new and this is the first mass deployment of
> it. I remember that it got removed from FC2 while some kinks got worked
> out there.
>
> 2. There is a learning curve and I'm at square 1 with it.
>
> Honestly, I probably don't *need* the added security of this,
> specifically. Security patches are fine and I keep up with things. This
> is for a home system, and I'm not running major servers.
>
> I'm tempted to just install FC3 without the SELinux support, but I'm not
> sure what percentage of users is doing that. If everybody jumps left and
> I jump right, I want to make sure that this doesn't affect problem
> solving capability down stream. In other words, is every posting on this
> list going to start by saying "I am [not] running SELinux..."
>
> So, suggestions?
>
> If it matters, I'll be doing a fresh install of "/boot" and "/", but
> moving my home partition from FC1 to FC3. The home partition is ext3, if
> that matters. I have heard that SELinux writes some auxiliary security
> info for each file on disk ("labeling" ?). Will the installation handle
> that automatically if I don't choose to reformat my old partition?
>
> I read the Fedora SELinux FAQ, but it really assumes you understand a
> bit of SELinux terminology already, which I currently don't.
Ultimately, it is your call, but I would not use the "I am not running
servers" argument as the basis for using or not using SELinux. More
security is a good thing, even on a desktop.
FWIW, I did not use it for FC 2, but I am using it on FC 3 on a laptop.
Beyond the FAQ and other online resources, one other you might want to
look at, which I don't think that I have seen mentioned here, is a brand
new book by Bill McCarty, called "SELinux: NSA's Open Source Security
Enhanced Linux" and published by O'Reilly:
http://www.oreilly.com/catalog/selinux/
I picked up a copy via Amazon.com:
http://www.amazon.com/exec/obidos/tg/detail/-/0596007167
HTH,
Marc Schwartz
