[Fedora-Bangladesh] Regarding SElinux

Junayeed Ahnaf zombiegenerator at gmail.com
Fri Jun 11 12:49:57 UTC 2010


On Friday, June 11, 2010 04:55:21 pm Angel wrote:
> Why should I use SELinux?
> 
> In short because SELinux can help protect you from bugs in applications.
> Most people treat applications as user surrogates (e.g., "I go to
> google.com" not "I tell my browser to go to google.com and it does so on
> my behalf"). However applications, especially the desktop applications we
> all use, come in at millions of lines of code. Without knowing what those
> millions of lines of code do there is no way to know if an application
> will really do what you tell it or if it becomes malicious because of
> vulnerabilities. With SELinux you can treat the applications you run
> differently from yourself thereby limiting what an exploited application
> can do.
> 
> Datz 4m SELinux doc.
> 
> In order to better understand y SELinux s important n wat it can do for u
> it is easiest to look at some examples. Without SELinux enabled,
> discretionary access control (DAC) methods such as file permissions or
> access control lists (ACLs) r used to grant file access to users. Users n
> programs alike r allowed to grant insecure file permissions to others or
> gain access to parts of the system that should not otherwise be necessary
> for normal operation.
> 
> For example:
> 
> Administrators have no way to control users: A user could set world
> readable permissions on sensitive files such as ssh keys
> 
> Processes can change security properties: A user's mail files should b
> readable only by dat user, but the mail client software has the ability to
> change them to b world readable.
> 
> Processes inherit user's rights: Firefox, if compromised, can read a user's
> private ssh keys even though it has no reason to do so.
> 
> Essentially there are two privilege levels, root and user, and no easy way
> to enforce the model of least-privilege. Many processes dat r launched by
> root later drop their rights to run as a restricted user and some processes
> may be run in a chroot jail, but all of these security methods are
> discretionary.


U did a great job explaining Selinux. Well, I've disabled SElinux cause the 
dictionary thing! Now any way to allow the dictionary to bypass SElinux? Or is 
there any policy I could develop?

> 
> 
> 
> On Fri, Jun 11, 2010 at 1:12 PM, Junayeed Ahnaf
> 
> <zombiegenerator at gmail.com>wrote:
> > Hello,
> > 
> > Recently studied about SElinux. I know it's not a firewall rather some
> > sets of
> > policy which tells computer which,when & how a program can access the
> > network.
> > 
> > My question is, is it utterly necessary to keep this sort of junk enabled
> > or I
> > could easily disable it forgetting it's existence. I've recently disabled
> > this
> > after facing much hardship about installing a soft via shell script.
> > 
> > Enlighten me!
> > --
> > Regards-
> > Junayeed Ahnaf Nirjhor
> > Documentation Team,
> > Linux Mint Bangladesh,
> > Bogra.
> > _______________________________________________
> > bangladesh-users mailing list
> > bangladesh-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/bangladesh-users

-- 
Regards-
Junayeed Ahnaf Nirjhor
Documentation Team,
Linux Mint Bangladesh,
Bogra.


More information about the bangladesh-users mailing list