[Fedora-Bangladesh] Regarding SElinux

Angel angel at linux.org.bd
Fri Jun 11 10:55:21 UTC 2010


Why should I use SELinux?

In short because SELinux can help protect you from bugs in applications.
Most people treat applications as user surrogates (e.g., "I go to google.com"
not "I tell my browser to go to google.com and it does so on my behalf").
However applications, especially the desktop applications we all use, come
in at millions of lines of code. Without knowing what those millions of
lines of code do there is no way to know if an application will really do
what you tell it or if it becomes malicious because of vulnerabilities. With
SELinux you can treat the applications you run differently from yourself
thereby limiting what an exploited application can do.

Datz 4m SELinux doc.

In order to better understand y SELinux s important n wat it can do for u it
is easiest to look at some examples. Without SELinux enabled, discretionary
access control (DAC) methods such as file permissions or access control
lists (ACLs) r used to grant file access to users. Users n programs alike r
allowed to grant insecure file permissions to others or gain access to parts
of the system that should not otherwise be necessary for normal operation.

For example:

Administrators have no way to control users: A user could set world readable
permissions on sensitive files such as ssh keys

Processes can change security properties: A user's mail files should b
readable only by dat user, but the mail client software has the ability to
change them to b world readable.

Processes inherit user's rights: Firefox, if compromised, can read a user's
private ssh keys even though it has no reason to do so.

Essentially there are two privilege levels, root and user, and no easy way
to enforce the model of least-privilege. Many processes dat r launched by
root later drop their rights to run as a restricted user and some processes
may be run in a chroot jail, but all of these security methods are
discretionary.



On Fri, Jun 11, 2010 at 1:12 PM, Junayeed Ahnaf
<zombiegenerator at gmail.com>wrote:

> Hello,
>
> Recently studied about SElinux. I know it's not a firewall rather some sets
> of
> policy which tells computer which,when & how a program can access the
> network.
>
> My question is, is it utterly necessary to keep this sort of junk enabled
> or I
> could easily disable it forgetting it's existence. I've recently disabled
> this
> after facing much hardship about installing a soft via shell script.
>
> Enlighten me!
> --
> Regards-
> Junayeed Ahnaf Nirjhor
> Documentation Team,
> Linux Mint Bangladesh,
> Bogra.
> _______________________________________________
> bangladesh-users mailing list
> bangladesh-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/bangladesh-users
>



-- 
Angel
0DF8 3CD4 AFE3 68C6 2CDA 9F17 14B8 1A15 E5F7 73C2

Fedora -- Freedom² and rapid innovation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://admin.fedoraproject.org/mailman/private/bangladesh-users/attachments/20100611/d1651df2/attachment.html 


More information about the bangladesh-users mailing list