Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Well, please educate me. All I hear from advocates is "more security"
> without a concrete example. You mentioned the danger of emails get
> stolen without SELinux. Please give me the scenario. So we can gauge
> the risk.

Simple example. Daemons running under selinux can only access the things
they are expected to be accessing. So if I was to crack your httpd and
try and execute a shell SELinux would block it. Standard file permissions
have no notion of who is doing the action and in what context so would
not save you.

The biggest win for a lot of folks is web stuff. If I find a bug in a PHP
script (which for most PHP is pretty much a given) that allows me to
access arbitary files it will be a lot less useful under SELinux because
only files labelled as http content can be accessed this way.

If I manage to use a bug to add a new script to your machine via the web
server I'll not be able to get it to run as a cgi because the web server
isn't allowed to create cgi binaries. Again won't happen with just file
permissions.

Alan
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux