On 6/15/07, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
Rahul Sundaram wrote:
> I understand that point and it's valid however it is a important
> differentiation. SELinux with the assorted set of security enhancements
> have been very useful in mitigating security issues. Even end users who
> tend to not like SELinux and turn it off have benefited it from it.
>
> While SELinux policies a number of issues have been fixed with software
> that was using more privileges than necessary or need to be redesigned
> because there was fundamental flaws.
Can you give some real examples of something where correctly applied
standard unix/linux permissions and user/group ids would not work but
SELinux does? Or currently-likely bugs in programs that need suid root
permissions to open a low-numbered port but otherwise run as a uid with
limited permissions that SELinuc might catch. It might be easier to
tolerate the backwards-incompatibilities if we had some actual examples
of how it has helped anyone.
--
Les Mikesell
lesmikesell@xxxxxxxxx
Circa FC4, I had a personal server on which I loan a friend of mine
some webspace on which he installed phpBB. The big phpBB flaw came,
and I got rooted. Didn't know how I got rooted, but I know that I was
rooted. So I wiped the HDD, reinstalled everything, including phpBB,
since I didn't know that is where the hole was. But this time I took
some time to install SELinux. This time, when someone hacked through
phpBB, they didn't get any further than /tmp. They also were unable to
remove their trail like they did the last time, so I found the phpBB
problem and removed it. I still wiped the machine to be on the safe
side, but didn't put phpBB back in.
--
Fedora Core 6 and proud
