Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/31/2010 06:27 PM, James Mckenzie wrote:
> Ralf Corsepius<rc040203@xxxxxxxxxx>  wrote:
>> Sent: Aug 31, 2010 8:43 AM
>> To: users@xxxxxxxxxxxxxxxxxxxxxxx
>> Subject: Re: SELinux
>>
>> On 08/31/2010 05:32 PM, Bruno Wolff III wrote:
>>> On Wed, Sep 01, 2010 at 00:14:09 +0900,
>>>     Takehiko Abe<keke@xxxxxxx>   wrote:
>>>> ;;; sorry other one goes straight to you
>>>>
>>>>    >   Linus is not exactly famous for his ability to understand security
>>>>    >   concepts. I find the fact your argument is produced by google and
>>>>    >   cut/paste rather than technical material ... enlightening
>>>>
>>>> Well, please educate me. All I hear from advocates is "more security"
>>>> without a concrete example. You mentioned the danger of emails get
>>>> stolen without SELinux. Please give me the scenario. So we can gauge
>>>> the risk.
>>>
>>> If you read email you need selinux. If you read email with a client that
>>> fires up plugins to read special content (e.g. html, pdfs, flash) then you
>>> really need selinux.
>>>
>>> If you use a web browser to view more than a short list of trusted sites,
>>> you need selinux.
>>>
>>> If you run network services accessible from outside the machine then you
>>> need selinux.
>>>
>>> If you run binaries from semitrusted groups (this includes most commercial
>>> software) then you need selinux.
>>
>> You don't _need_ SELinux in any such cases.
>
> I disagree, but that is just my nature.
I guess you were a helmet and a bullet-proof vest?

SCNR.

>  If you wander off onto a malware site, you really need SeLinux in that case.
Well, I guess you know that SELinux is only available on Fedora?
(Yes it's in other distros kernel's, too, but I am not aware about any 
other major distro shipping a preconfigured rule-set)

>> SELinux is aiming at catching malfunctioning/misbehaving programs and
>> _may_ prevent damage in use-cases such as those you list.
>>
>> However, SELinux also causes mal-functions and prevents applications
>>from operating properly. Semi-educated tweaking SELinux may even cause
>> further damage up to rendering systems completely unusable.
>>
>> To me this means: If the defaults work, use it. If it doesn't, switch it
>> off, otherwise you might easily shoot yourself into the foot.
>>
> If you don't know what you are doing with SeLinux it is very easy to misconfigure it and lock up a system.
That's what I had wanted to express.

> If you don't know what you are doing, now is the time to ask for help, not trapse off and try it on your own.
Well, my view is a bit different: SELinux in it's current shape on 
Fedora is not end-user suitable.

This is not a problem for professional sys-admins, but it is a problem 
for "home users" and "occasional users".

Ralf
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux