On Wed, 2008-04-09 at 13:40 -0500, Bruno Wolff III wrote: > On Wed, Apr 09, 2008 at 14:30:17 -0400, > John Aldrich <john@xxxxxxxxxxxxxxx> wrote: > > On Wednesday 09 April 2008, Aaron Konstam wrote: > > > > The disappearance of the "disable iptabes" and "disable selinux" options > > > > counts as a minor annoyance, I guess. But thanks for that too! > > > > > > > > > > Your comment is interesting since when the list members heard that this > > > option would be removed it was greeted by collective opposition to its > > > removal. > > > > > I, personally, have no use for selinux. But then I'm just a hobbyist and I'm > > behind a DSL router doing NAT, so I have little need for selinux. I hope > > there's some way to disable it still. > > Assuming you browse the web using firefox, that's changing. Dan Walsh is > working on confining Firefox. It won't be ready for F9 (at least not enough > to enable by default), but it's coming. And your current set up doesn't > protect you from broken plugins (or firefox itself) combined with malicious > data. ---- the point being that security is about layers of protection and there is no one single layer that handles everything that is needed for security...i.e., a firewall / router doing NAT is secure until it isn't and then you have to deal with it. Bruno is noting that the current methods of exploitation tend to be web pages, flash, java, media files and a firewall isn't going to be of much help with this type of intrusion but selinux clearly could be a layer of use here. Yes, disabling SELinux is certainly always possible, and in fact quite easy to do but that doesn't mean that it's the best choice possible. Craig