Re: Why do I need SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Craig White wrote:

On Mon, 2005-02-21 at 00:38 +0000, Timothy Murphy wrote:


Rahul Sundaram wrote:



oh please. I was discussing about the NEED of SELinux for everyone


But does _everyone_ need SELinux?
I'm willing to be convinced, but I haven't been yet.

I think I am probably a typical home user,
perhaps with a bit more equipment than normal.

My connection to the outside world is through my desktop, and ADSL.
I connect to my ISP by dhcp (and pppoe).
I'm running shorewall standard two-interface setup on my desktop.
As far as I can see, this means that no-one outside my system
should be able to get in,
and I certainly see hundreds of packets each day on LogWatch
that have failed to get in through a large number of ports.

(1) Am I deluded in thinking myself reasonably safe?

(2) It also seems to me that if someone did succeed in getting in
they would very probably have superuser privileges,
and so could counteract SELinux if they wanted to?

So for both these reasons (but mainly (1))
I remain unconvinced that SELinux has anything to offer _me_.
And what is more, it seems to me that the same will apply
to most home users,
who I assume are not running web servers accessible by the world.


----
it's not one thing - it's everything.

Have wireless access on your home lan? What if you are slow in updating
kernel in shorewall system? What if you access malicious web site as
root? What if you download a tarball with malicious code?

There's so many different ways you can have your security break - to
look at your system and say, well I'm not running a web server, so this
doesn't apply is entirely beside the point.

Windows employs too little audited code, too few security checks and
consequently, we see the things that have happened with their reputation
with respect to security. Linux has a new technology that is arriving
simultaneously with the 2.6 kernels that is designed to provide another
additional layer of security - very handy when you execute the wrong
code, misconfigure the wrong daemon, absentmindedly stop firewall
services, etc. Yes, it's a PITA. Yes, we are having to deal with a
technology that we neither understand nor wish to deal with.

Getting superuser access by virtue of crashed daemon is not the same
thing as logging in as root and that is one of the protections of
SELinux.

Shut it off if you want. The cost of shutting it off is removing one
layer of protection. If it means that little to you - shut it off.

Craig



Thanks for your attention to this thread, Craig. Tim asked a question that had been in my mind for some time.

My single unit SOHO system connects to the outside world through a cable modem. I run no web services of any kind and simply do not turn the modem on when I am running as root. Even if I su to root, the modem gets turned off. So I had wondered whether SElinux provided any enhanced security for a system like mine.

I infer from your first paragraph above that SElinux offers some protection against damages from tarballs, rpms, etc. that one imports and employ as root. If that inference is valid, I will spend some time trying to understand SElinux despite the apparent steepness of the learning curve an enduser like me will face.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux