On Friday, June 11, 2010 04:55:21 pm Angel wrote:
Why should I use SELinux?
In short because SELinux can help protect you from bugs in applications.
Most people treat applications as user surrogates (e.g., "I go to
google.com" not "I tell my browser to go to
google.com and it does so on
my behalf"). However applications, especially the desktop applications we
all use, come in at millions of lines of code. Without knowing what those
millions of lines of code do there is no way to know if an application
will really do what you tell it or if it becomes malicious because of
vulnerabilities. With SELinux you can treat the applications you run
differently from yourself thereby limiting what an exploited application
can do.
Datz 4m SELinux doc.
In order to better understand y SELinux s important n wat it can do for u
it is easiest to look at some examples. Without SELinux enabled,
discretionary access control (DAC) methods such as file permissions or
access control lists (ACLs) r used to grant file access to users. Users n
programs alike r allowed to grant insecure file permissions to others or
gain access to parts of the system that should not otherwise be necessary
for normal operation.
For example:
Administrators have no way to control users: A user could set world
readable permissions on sensitive files such as ssh keys
Processes can change security properties: A user's mail files should b
readable only by dat user, but the mail client software has the ability to
change them to b world readable.
Processes inherit user's rights: Firefox, if compromised, can read a user's
private ssh keys even though it has no reason to do so.
Essentially there are two privilege levels, root and user, and no easy way
to enforce the model of least-privilege. Many processes dat r launched by
root later drop their rights to run as a restricted user and some processes
may be run in a chroot jail, but all of these security methods are
discretionary.
U did a great job explaining Selinux. Well, I've disabled SElinux cause the
dictionary thing! Now any way to allow the dictionary to bypass SElinux? Or is
there any policy I could develop?
On Fri, Jun 11, 2010 at 1:12 PM, Junayeed Ahnaf
<zombiegenerator(a)gmail.com>wrote:
> Hello,
>
> Recently studied about SElinux. I know it's not a firewall rather some
> sets of
> policy which tells computer which,when & how a program can access the
> network.
>
> My question is, is it utterly necessary to keep this sort of junk enabled
> or I
> could easily disable it forgetting it's existence. I've recently disabled
> this
> after facing much hardship about installing a soft via shell script.
>
> Enlighten me!
> --
> Regards-
> Junayeed Ahnaf Nirjhor
> Documentation Team,
> Linux Mint Bangladesh,
> Bogra.
> _______________________________________________
> bangladesh-users mailing list
> bangladesh-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/bangladesh-users
--
Regards-
Junayeed Ahnaf Nirjhor
Documentation Team,
Linux Mint Bangladesh,
Bogra.