Timothy Murphy wrote:
Paul Howarth wrote:
Which level of SELinux you recommend for a personal laptop? I mean, if
you are not offering any service to internet or you don't have many users
and stuff is it really necessary?
I have SELinux enabled on *all* of my machines. But then I know how to
fix SELinux issues when they crop up. If it works for you when enabled,
you're better off having it, since it offers an additional layer of
protection. You don't need to have multiple users or to be offering
services on the Internet to get your machine compromised.
I must admit I have taken the opposite tack.
I enabled SELinux for a while, but it caused several problems
(which unlike Paul I had difficulty solving)
and in the end I decided the tiny amount of protection it offered
was simply not worth the hassle.
I'm running shorewall on my desktop (connected to the internet)
and it seems to me - though I am no expert -
that this offers sufficient security for my purposes.
It wouldn't protect you against a browser vulnerability triggered by
visiting a malicious website. There are probably many other types of
vulnerability that firewalls don't help with too.
(I'm a shorewall user myself too btw)
I have a sneaking suspicion that SELinux is put forward,
to some extent, as a kind of window-dressing
to support the argument that Linux is safer than Windows.
SELinus is far from being window-dressing; when configured properly it
is capable of restricting each process to the minimum capabilities that
that process needs to do its job, and most exploits require that
processes be circumvented to so something else, hence SELinux offers
protection against those exploits.
Paul.
