On Mon, 2005-02-21 at 00:38 +0000, Timothy Murphy wrote: > Rahul Sundaram wrote: > > > oh please. I was discussing about the NEED of SELinux for everyone > > But does _everyone_ need SELinux? > I'm willing to be convinced, but I haven't been yet. > > I think I am probably a typical home user, > perhaps with a bit more equipment than normal. > > My connection to the outside world is through my desktop, and ADSL. > I connect to my ISP by dhcp (and pppoe). > I'm running shorewall standard two-interface setup on my desktop. > As far as I can see, this means that no-one outside my system > should be able to get in, > and I certainly see hundreds of packets each day on LogWatch > that have failed to get in through a large number of ports. > > (1) Am I deluded in thinking myself reasonably safe? > > (2) It also seems to me that if someone did succeed in getting in > they would very probably have superuser privileges, > and so could counteract SELinux if they wanted to? > > So for both these reasons (but mainly (1)) > I remain unconvinced that SELinux has anything to offer _me_. > And what is more, it seems to me that the same will apply > to most home users, > who I assume are not running web servers accessible by the world. ---- it's not one thing - it's everything. Have wireless access on your home lan? What if you are slow in updating kernel in shorewall system? What if you access malicious web site as root? What if you download a tarball with malicious code? There's so many different ways you can have your security break - to look at your system and say, well I'm not running a web server, so this doesn't apply is entirely beside the point. Windows employs too little audited code, too few security checks and consequently, we see the things that have happened with their reputation with respect to security. Linux has a new technology that is arriving simultaneously with the 2.6 kernels that is designed to provide another additional layer of security - very handy when you execute the wrong code, misconfigure the wrong daemon, absentmindedly stop firewall services, etc. Yes, it's a PITA. Yes, we are having to deal with a technology that we neither understand nor wish to deal with. Getting superuser access by virtue of crashed daemon is not the same thing as logging in as root and that is one of the protections of SELinux. Shut it off if you want. The cost of shutting it off is removing one layer of protection. If it means that little to you - shut it off. Craig
