On 08/31/2010 06:27 PM, James Mckenzie wrote: > Ralf Corsepius<rc040203@xxxxxxxxxx> wrote: >> Sent: Aug 31, 2010 8:43 AM >> To: users@xxxxxxxxxxxxxxxxxxxxxxx >> Subject: Re: SELinux >> >> On 08/31/2010 05:32 PM, Bruno Wolff III wrote: >>> On Wed, Sep 01, 2010 at 00:14:09 +0900, >>> Takehiko Abe<keke@xxxxxxx> wrote: >>>> ;;; sorry other one goes straight to you >>>> >>>> > Linus is not exactly famous for his ability to understand security >>>> > concepts. I find the fact your argument is produced by google and >>>> > cut/paste rather than technical material ... enlightening >>>> >>>> Well, please educate me. All I hear from advocates is "more security" >>>> without a concrete example. You mentioned the danger of emails get >>>> stolen without SELinux. Please give me the scenario. So we can gauge >>>> the risk. >>> >>> If you read email you need selinux. If you read email with a client that >>> fires up plugins to read special content (e.g. html, pdfs, flash) then you >>> really need selinux. >>> >>> If you use a web browser to view more than a short list of trusted sites, >>> you need selinux. >>> >>> If you run network services accessible from outside the machine then you >>> need selinux. >>> >>> If you run binaries from semitrusted groups (this includes most commercial >>> software) then you need selinux. >> >> You don't _need_ SELinux in any such cases. > > I disagree, but that is just my nature. I guess you were a helmet and a bullet-proof vest? SCNR. > If you wander off onto a malware site, you really need SeLinux in that case. Well, I guess you know that SELinux is only available on Fedora? (Yes it's in other distros kernel's, too, but I am not aware about any other major distro shipping a preconfigured rule-set) >> SELinux is aiming at catching malfunctioning/misbehaving programs and >> _may_ prevent damage in use-cases such as those you list. >> >> However, SELinux also causes mal-functions and prevents applications >>from operating properly. Semi-educated tweaking SELinux may even cause >> further damage up to rendering systems completely unusable. >> >> To me this means: If the defaults work, use it. If it doesn't, switch it >> off, otherwise you might easily shoot yourself into the foot. >> > If you don't know what you are doing with SeLinux it is very easy to misconfigure it and lock up a system. That's what I had wanted to express. > If you don't know what you are doing, now is the time to ask for help, not trapse off and try it on your own. Well, my view is a bit different: SELinux in it's current shape on Fedora is not end-user suitable. This is not a problem for professional sys-admins, but it is a problem for "home users" and "occasional users". Ralf -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
