Re: Why do I need SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Timothy Murphy wrote:
> But does _everyone_ need SELinux?
> I'm willing to be convinced, but I haven't been yet.
>
> I think I am probably a typical home user,
> perhaps with a bit more equipment than normal.

With the current implementation, you may have a point.

http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2764702
says that:

>  Currently, the list of daemons is dhcpd, httpd (apache.te), named,
>  nscd, ntpd, portmap, snmpd, squid, and syslogd

Home users probably shouldn't be running httpd, named, or snmpd. Unless
they've got NFS set up they shouldn't be running portmap. Squid, nscd,
ntpd and dhcpd are optional, depending on what you're doing. In fact,
the only daemon that pretty well everyone will be running is syslogd.

Even with SELinux, it's still (theoretically) safer not to have services
running (or installed) at all.

So SELinux buys you some extra protection on syslogd. This is good, in
case you misconfigure your firewall AND you configure syslogd to listen
to the network AND there's a hole in syslogd, OR an attacker manages to
get some application to log precisely what the attacker wants AND
there's a suitable hole in syslogd.

Yes, it buys extra protection. But *in this case*, especially if you're
not concerned about malicious local users, there isn't much extra
protection.

On the flip side, similar logic means that SELinux should only have
negative effects on syslogd, so why not turn it on?

James.

-- 
James Wilkinson       | USER ERROR: replace user and press any key
Exeter    Devon    UK | to continue.
E-mail address: james | 
@westexe.demon.co.uk  | 


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux