<quote who="Mike McCarty"> >> I disagree. Things like SELinux/RSBAC/grsecurity+PaX can add a further >> defense layer in system hardening. > > If someone gets through, then you are compromised. SELinux might > (repeat, might) somewhat reduce the damage. But if you get rooted, > then the infiltrator can change the policy just like you can. > Every additional piece of software which is on your machine is > another potential hole in your security, especially one which > runs at kernel level. And just plain defects which can corrupt > your system entirely is another issue. Well, I'm going to jump right into the middle of this conversation and give my $.001 worth of rant. IMHO, SELinux is fairly difficult to manage. I love the idea of ACLs but just don't like SELinux's approach. I went with LIDS and RSBAC a while back. I think for ACLs to work, they have to be easily manageable. LIDS was the easiest for me. Very simple and straight forward (once you got the darn thing to work). As to getting rooted, I believe both LIDS and RSBAC can be configured to only allow modification from special terminals (i.e. local terminal only etc). They are also kernel modules so they can not be easily bypassed. Finally, they usually have a separate password required to invoke the modification terminal. All very nice features. Try giving other ACL implementations a try. You may find them much more enjoyable. Be warned though, they are all difficult to install but once you are past that... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
