On Sat, 2005-02-19 at 21:01 +0100, Felipe Alfaro Solana wrote: > On 19 Feb 2005, at 18:14, David Cary Hart wrote: > > > I'm running production web, mail and FTP servers and I don't appreciate > > the value of SELinux. Someone in the DShield list referred to this as > > "protection for the tinfoil helmet set." > > > > However, I do not NAT SSH nor Telnet. For that matter, the only ports > > that are open are http, smtp, pop3 and ftp. > > All of them are points of attack. SELinux can protect what they can do > in case a hacker tries to exploit them. Also POP3 and FTP are > considered insecure as they use plain-text logins. Also, POP3 usually > runs as root in order to access user mailboxes. --- I don't think the daemons that serve pop3 or imap are likely to be running as root but I guess that would probably depend upon which one you are using. obviously a lot of care has been given to have http/smtp/ftp daemons not run with root privileges either. there has been recent issues with things like phpbb which tend to need write access for the apache user to be able to write and I would presume then gets php to execute code to give them access to system - and it's clear that in a situation such as this, SELinux is bound to help. still goes back to what Joanne was talking about the other day - belts and suspenders...security being about layers and not about single point failure. Craig