-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 klybear wrote: > On Thu, 28 Feb 2008 09:31:05 +0900, John Summerfield wrote: > >> The only penetrations I've seen arrived by ssh. I don't think selinux >> would have helped there; the sorts of restrictions I can think of would >> also prevent the user from doing what users ought be able to do such as >> download stuff (including email), sending email and so forth. Some attacks can be prevented with SELinux and ssh although it is just recently gaining confinement. If someone out there wanted to experiment with using SELinux to further confine ssh, it might be an interesting experiment, (any university student looking for a project?) SSH currently has privledge separation which we could take further advantage of with SELinux and the setcon call, but no one as done this yet. SELinux will prevent things like buffer overflows in ssh via the execmem/execmod/execstack/execheap prevention. It also stops attacks like grabbing the /etc/shadow file without a password. > > I'm new full time linux user, having temped with one or two distros in > the past, and I have to say that my experience of selinux has been > frustrating. I never had any Selinux issues with Ubuntu or Debian, but > since using Fedora, three of the four problems I've solved so far turned > out to be related selinux permissions and the fourth one I'm still > working on :) > What problems are you having with SELinux? Have you reported them in Bugzilla? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfIGrsACgkQrlYvE4MpobPERwCgm/bOYFUVk/+81hudROJlRJP2 wHkAoLdlbwhfuvexXp4f9N6rP6i2dmou =7AOh -----END PGP SIGNATURE-----
