Timothy Murphy wrote: > But does _everyone_ need SELinux? > I'm willing to be convinced, but I haven't been yet. > > I think I am probably a typical home user, > perhaps with a bit more equipment than normal. With the current implementation, you may have a point. http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2764702 says that: > Currently, the list of daemons is dhcpd, httpd (apache.te), named, > nscd, ntpd, portmap, snmpd, squid, and syslogd Home users probably shouldn't be running httpd, named, or snmpd. Unless they've got NFS set up they shouldn't be running portmap. Squid, nscd, ntpd and dhcpd are optional, depending on what you're doing. In fact, the only daemon that pretty well everyone will be running is syslogd. Even with SELinux, it's still (theoretically) safer not to have services running (or installed) at all. So SELinux buys you some extra protection on syslogd. This is good, in case you misconfigure your firewall AND you configure syslogd to listen to the network AND there's a hole in syslogd, OR an attacker manages to get some application to log precisely what the attacker wants AND there's a suitable hole in syslogd. Yes, it buys extra protection. But *in this case*, especially if you're not concerned about malicious local users, there isn't much extra protection. On the flip side, similar logic means that SELinux should only have negative effects on syslogd, so why not turn it on? James. -- James Wilkinson | USER ERROR: replace user and press any key Exeter Devon UK | to continue. E-mail address: james | @westexe.demon.co.uk |
