On Wed, 2005-07-27 at 15:24, Mike McCarty wrote: > I went and read the FAQ on selinux, especially the sections > on FC2 since that is what I run. I have yet to read *why* > one would want to run selinux on a machine like mine. The > FAQ has a question which supposedly addresses this question, > but there seem to be many presumptions about the system > on which Linux is installed inherent in the answer, some > or perhaps all of which do not seem to apply to my system. > > In short, they presume that there is some way that software > gets onto my system without my being aware of it, but do > not specify any means by which that might take place. > > Since the issue of how the "malware" gets onto my machine > is completely bypassed, I consider the answer given in the > FAQ to be, well, significantly incomplete. > > And augmenting the answer with "We don't know how it might > get onto your machine" is, IMO, not an adequate answer. It > begs the question. > > What I mean is, I ask "Why should I run selinux?" The answer > then seems to be "We don't know, but if you don't bad things > might happen to your system due to malicious programs." You are correct, nobody knows how they would get code on to your system. I would not say that bad things will happen if you don't run selinux, but it may mitigate the effects if someone with unethical motives happens to get access to your system. Think of selinux as just another layer of defense that is available to you. It is impossible to prove that there are no security holes in a system or the software it is running. Because of this you need to think of defense in depth. You use a hardware firewall or dedicated linux firewall box to block most port probes and access from the outside. That is one layer. You use iptables on your machine to allow access to those services you actually use like ssh and block all others. This is another layer. You utilize strong passwords on your system and configure ssh to only permit certain users. Yet another layer of defense. But lets say that in a subsequent update of ssh a bug is introduced which allows someone to gain access to your system. Or more likely you somehow disclose your user password and id. They transfer software to your machine and proceed to try to gain root access. With selinux in place you have additional access controls on various files that make that job much more difficult if not impossible. Yet another layer of defense. Without selinux the intruder may be able to manipulate certain files on your system and gain root level access. Ultimately it is your decision if you want to use selinux or any of the other security tools available to you. You may decide that you don't want to run it. That is your choice. All I know is that if my system is a little bit harder to crack than the next guy, the hacker most likely will move on and not bother me. :) -- Scot L. Harris webid@xxxxxxxxxx You don't sew with a fork, so I see no reason to eat with knitting needles. -- Miss Piggy, on eating Chinese Food