Lamar Owen wrote:
On Tuesday 26 February 2008, Jim wrote:
http://www.linuxworld.com/news/2008/022408-selinux.html
Folks who doubt SELinux's ultimate value need to read this article. It is an
excellent case for why to do this.
And given that the first compromised software (HP's software) is more of a
workstation software, SELinux can/could prevent your Linux desktop from
becoming a zombie/bot just like the poor Windows boxes become.
SELinux: not just for servers anymore.
Inconveniences aside, if workstation/desktop software (like firefox,
evolution, kmail, etc) can be exploited and turn a Linux desktop/laptop into
a botnet zombie without SELinux, then it seems to me that we collectively
need to work on making SELinux work properly so that Linux doesn't get the
same black eye that Windows has for botnet purposes. Hrmph, a Linux box,
with all the typical dev tools installed, would make a ten times better
botnet zombie than Windows anyway!
The only penetrations I've seen arrived by ssh. I don't think selinux
would have helped there; the sorts of restrictions I can think of would
also prevent the user from doing what users ought be able to do such as
download stuff (including email), sending email and so forth.
Still need good traditional security - sound passwords, VPNs, don't
allow more dangerous service such as ssh listen for connexions from
undesirable sources.
I've always thought the idea of selinux a good one, but it seems to me
overly complex. And the implementation in f9alfa is fairly disastrous.
(depending on what one needs to do).
--
