On Mon, 2004-11-15 at 08:11 -0800, Dave Roberts wrote: > Okay, so I'm sitting here with a nice, stable FC1 configuration. Today, > it has seen uptime of over two months. In short, works great. > > I decided the other day that I should probably upgrade to FC3. I skipped > FC2 since FC1 was still getting security updates and I didn't have a big > reason to change. Also, with the first appearance of kernel 2.6.x in > FC2, I just decided to let the kinks get worked out. Now that FC1 > stopped getting security updates, I figured it was time to move along. > > Now, of course, FC3 includes SELinux as an installation option. This is > both interesting to me and also the potential for a problem since: > 1. SELinux is relatively new and this is the first mass deployment of > it. I remember that it got removed from FC2 while some kinks got worked > out there. > > 2. There is a learning curve and I'm at square 1 with it. > > Honestly, I probably don't *need* the added security of this, > specifically. Security patches are fine and I keep up with things. This > is for a home system, and I'm not running major servers. > > I'm tempted to just install FC3 without the SELinux support, but I'm not > sure what percentage of users is doing that. If everybody jumps left and > I jump right, I want to make sure that this doesn't affect problem > solving capability down stream. In other words, is every posting on this > list going to start by saying "I am [not] running SELinux..." > > So, suggestions? > > If it matters, I'll be doing a fresh install of "/boot" and "/", but > moving my home partition from FC1 to FC3. The home partition is ext3, if > that matters. I have heard that SELinux writes some auxiliary security > info for each file on disk ("labeling" ?). Will the installation handle > that automatically if I don't choose to reformat my old partition? > > I read the Fedora SELinux FAQ, but it really assumes you understand a > bit of SELinux terminology already, which I currently don't. Ultimately, it is your call, but I would not use the "I am not running servers" argument as the basis for using or not using SELinux. More security is a good thing, even on a desktop. FWIW, I did not use it for FC 2, but I am using it on FC 3 on a laptop. Beyond the FAQ and other online resources, one other you might want to look at, which I don't think that I have seen mentioned here, is a brand new book by Bill McCarty, called "SELinux: NSA's Open Source Security Enhanced Linux" and published by O'Reilly: http://www.oreilly.com/catalog/selinux/ I picked up a copy via Amazon.com: http://www.amazon.com/exec/obidos/tg/detail/-/0596007167 HTH, Marc Schwartz