Re: Why do I need SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2005-02-21 at 00:38 +0000, Timothy Murphy wrote:
> Rahul Sundaram wrote:
> 
> > oh please. I was discussing about the NEED of SELinux for everyone
> 
> But does _everyone_ need SELinux?
> I'm willing to be convinced, but I haven't been yet.
> 
> I think I am probably a typical home user,
> perhaps with a bit more equipment than normal.
> 
> My connection to the outside world is through my desktop, and ADSL.
> I connect to my ISP by dhcp (and pppoe).
> I'm running shorewall standard two-interface setup on my desktop.
> As far as I can see, this means that no-one outside my system
> should be able to get in,
> and I certainly see hundreds of packets each day on LogWatch
> that have failed to get in through a large number of ports.
> 
> (1) Am I deluded in thinking myself reasonably safe?
> 
> (2) It also seems to me that if someone did succeed in getting in
> they would very probably have superuser privileges,
> and so could counteract SELinux if they wanted to?
> 
> So for both these reasons (but mainly (1))
> I remain unconvinced that SELinux has anything to offer _me_.
> And what is more, it seems to me that the same will apply
> to most home users,
> who I assume are not running web servers accessible by the world.
----
it's not one thing - it's everything.

Have wireless access on your home lan? What if you are slow in updating
kernel in shorewall system? What if you access malicious web site as
root? What if you download a tarball with malicious code?

There's so many different ways you can have your security break - to
look at your system and say, well I'm not running a web server, so this
doesn't apply is entirely beside the point.

Windows employs too little audited code, too few security checks and
consequently, we see the things that have happened with their reputation
with respect to security. Linux has a new technology that is arriving
simultaneously with the 2.6 kernels that is designed to provide another
additional layer of security - very handy when you execute the wrong
code, misconfigure the wrong daemon, absentmindedly stop firewall
services, etc. Yes, it's a PITA. Yes, we are having to deal with a
technology that we neither understand nor wish to deal with.

Getting superuser access by virtue of crashed daemon is not the same
thing as logging in as root and that is one of the protections of
SELinux.

Shut it off if you want. The cost of shutting it off is removing one
layer of protection. If it means that little to you - shut it off.

Craig


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux