Oops, inadvertently sent this only to Alan. On Wed, 2007-08-29 at 17:09 +0100, Alan Cox wrote: > > Would any of you out there care to share with me any of your personal > > experiences with SELinux being useful to you (in any way whatsoever), on > > a single-user workstation? > > I leave it on and haven't had any problems with it for the past few > releases. It makes a large subset of potentially exploitable holes turn > into rather unexploitable ones and that to me is of value. Yes, but what exactly is the value-added for you? Please give me some examples of exploitations that SELinux has make unexploitable. I'm not being pissy here, forgive me if it reads that way, I'm just wanting to understand. In the last half decade I've deployed dozens and dozens (and dozens) of servers and workstation to take their places in production environments. >From a simple workstation for myself, to extranet clusters for international organisations. Never have I personally experienced a need for any of the security enhancements that a SELinux or an AppArmor fantasise about providing. (Heck, I've even deployed Internet facing resources without a firewall in place, for crying out loud.) The responses I've read so far (my great thanks to all who've replied, by the way), are telling me that SELinux has greatly improved in the last couple FC/Fedora releases, but that it's not yet at THAT stage of ripeness where it reaps nothing but praise. In a decade, I've had exactly one box compromised. And that was completely my poor planning and my fault. I exposed a mail server to the world about half a day before I really wanted to, because I was in a rush and needing to do 12 things at once. I got myself rooted through a broken Apache package that hadn't yet been patched, and I learnt a valuable lesson. At any rate, let's assume that SELinux is mature and ripe, that it interferes with nothing and there are no more issues with updates and whatnot. It's landed, and can be deployed without worry. What exactly do I gain by doing it? What have I protected myself from? Andy
