On Wed, 2007-08-29 at 16:25 +0000, Tom Horsley wrote: > > I personally have immediately disabled SELinux on any and every box I've > > ever installed for myself, and grind my teeth any time I even see the > > word. > > I didn't disable it on the first fedora release it showed up on, and > spent hours after that just trying to gain enough access to my own system > to disable it when I found that basically nothing worked. Ever > since then I not only disable it when installing, but also add > selinux=0 to the kernel options just to be sure :-). <g> > > Would any of you out there care to share with me any of your personal > > experiences with SELinux being useful to you (in any way whatsoever), on > > a single-user workstation? > > I can't imagine ever having an experience where any form of security > software turned out to be useful, but I do have a theory that explains > selinux in fedora and apparmor in opensuse: You're being a bit facetious, yes? :-) Loosely speaking file permissions could be considered security software. I certainly wouldn't want to have to do without THEM. > Large numbers of government contracts need you to check a box for > "enhanced security" in order to bid on them, therefore selinux was > born. > > If redhat had shipped selinux in enterprise when it was in the condition > it first showed up in fedora, they would have lost every paying > enterprise customer, therefore they needed a large group of suckers > to find all the obvious problems. > > That's us :-). Right. Gotcha. So why does that interest us? Gummint contracts used to hold Windows NT 4.0 up as the holy grail of security. Do we really want to appease THAT? If the *nix namespace has come to the conclusion that it is somehow insecure or not adequately protected from various exploits and has determined to do things better, fine. Nothing wrong with that at all. Evolution. But IS there a security issue? DO things need to be completely re-flummoxed? > Cross out redhat and selinux and write in suse and apparmor with a > crayon, and the same explanation applies :-). > Yeah. Bla. Won't it be fun when every Distro has its own version of the Gordian Knot tying everything up.... Shouldn't an enhanced level of security be something global? You know, kernel-level packet filtering, filesystems with a more granular permissioning structure, per-user chrooting, things like that. Sorry, starting to wander here. Thanks for the input. Andy
