Conflicted about SELinux; need advice
Marc Schwartz
MSchwartz at MedAnalytics.com
Tue Nov 16 00:44:13 UTC 2004
On Mon, 2004-11-15 at 23:18 +0000, James Wilkinson wrote:
> Marc Schwartz wrote:
> > Ultimately, it is your call, but I would not use the "I am not running
> > servers" argument as the basis for using or not using SELinux. More
> > security is a good thing, even on a desktop.
>
> Mind you, the default targeted policy might not buy you much on a
> "normal" desktop.
>
> http://fedora.redhat.com/docs/selinux-faq-fc3/ says:
>
> # dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid,
> # and syslogd [are protected].
>
> A normal desktop shouldn't need httpd, named, or squid. Many of them
> won't need portmap or snmpd. A solo desktop on dial-up probably won't
> want dhcpd or ntpd (and almost certainly won't want portmap and snmpd).
>
> That leaves syslogd, which shouldn't be open to the network in these
> situations, and nscd. Which I've just realized I'm not even running...
No disagreement, though it does provides an easy transition for someone
who wants to begin to learn SELinux while operating in a relatively
basic and unobtrusive environment.
It would have been much more frustrating under FC2 with strict policy
enforcement. :-)
Marc
More information about the users
mailing list