Why should I use SELinux?
In short because SELinux can help protect you from bugs in applications.
Most people treat applications as user surrogates (e.g., "I go to google.com"
not "I tell my browser to go to google.com
and it does so on my behalf").
However applications, especially the desktop applications we all use, come
in at millions of lines of code. Without knowing what those millions of
lines of code do there is no way to know if an application will really do
what you tell it or if it becomes malicious because of vulnerabilities. With
SELinux you can treat the applications you run differently from yourself
thereby limiting what an exploited application can do.
Datz 4m SELinux doc.
In order to better understand y SELinux s important n wat it can do for u it
is easiest to look at some examples. Without SELinux enabled, discretionary
access control (DAC) methods such as file permissions or access control
lists (ACLs) r used to grant file access to users. Users n programs alike r
allowed to grant insecure file permissions to others or gain access to parts
of the system that should not otherwise be necessary for normal operation.
Administrators have no way to control users: A user could set world readable
permissions on sensitive files such as ssh keys
Processes can change security properties: A user's mail files should b
readable only by dat user, but the mail client software has the ability to
change them to b world readable.
Processes inherit user's rights: Firefox, if compromised, can read a user's
private ssh keys even though it has no reason to do so.
Essentially there are two privilege levels, root and user, and no easy way
to enforce the model of least-privilege. Many processes dat r launched by
root later drop their rights to run as a restricted user and some processes
may be run in a chroot jail, but all of these security methods are
On Fri, Jun 11, 2010 at 1:12 PM, Junayeed Ahnaf
Recently studied about SElinux. I know it's not a firewall rather some sets
policy which tells computer which,when & how a program can access the
My question is, is it utterly necessary to keep this sort of junk enabled
could easily disable it forgetting it's existence. I've recently disabled
after facing much hardship about installing a soft via shell script.
Junayeed Ahnaf Nirjhor
Linux Mint Bangladesh,
bangladesh-users mailing list
0DF8 3CD4 AFE3 68C6 2CDA 9F17 14B8 1A15 E5F7 73C2
Fedora -- Freedom² and rapid innovation