SElinux

Digimer lists-5ZoueyuiTZiw5LPnMra/2Q at public.gmane.org
Sat Aug 16 03:51:12 UTC 2014 

On 15/08/14 11:35 PM, Howard Gibson wrote:
> On Fri, 15 Aug 2014 23:21:10 -0400
> Digimer <lists-5ZoueyuiTZiw5LPnMra/2Q at public.gmane.org> wrote:
>
>> On 15/08/14 11:11 PM, Howard Gibson wrote:
>>>      On my home computer and laptops, SElinux is a pain in the butt.
>>>
>>>      Who is protected by SElinux?  Does it protect the system from rogue users, or does it protect from external crackers?
>>
>> Say you had a web service installed, maybe without realizing. Now assume
>> someone compromises that web interface while you enjoy a coffee at the
>> local $coffee_house. SELinux just saved you from the compromised apache
>> from getting control of your system because the apache context isn't
>> allowed to touch system files.
>>
>> etc.
>
> Digimer,
>
>     As a matter of fact, I do have a web server installed on both my desktop and my favourite laptop.  My desktop sits behind my firewall at home.  My laptop's firewall is set to allow nothing through.  I have even turned off ping.  I need to visit a Second Cup with it to verify that it passes True Stealth analysis at http://www.grc.com.  At a lot of sites, GRC seems to test the WiFi server, not me.
>
>     I can see that if I am administering work machines, particularly in a secure environment, I will have to debug some applications and file ACLs to keep the system running.  This protects me from rogue users.  There probably is no need for the users to try out multiple applications.  At home here, I want to.

What SELinux protects you from is when you apps, pick another one, 
apache was a random choice, gets compromised in such a way to provide 
access to the underlying system. This is when selinux saves you, because 
it tells the kernel to reject requests from applications trying to 
access things outside their policies.

If you think you don't need that, fine. To me though, that is like 
choosing not to wear a seatbelt... In 20 years of driving, I have never 
been in a crash, but I still appreciate the value of seatbelts and use 
them every time. SELinux is the OS version of seatbelts and airbags. If 
you think they aren't needed and are "uncomfortable", ok.

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without 
access to education?
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list