SELinux on single-user box?
Rahul Sundaram
sundaram at redhat.com
Wed Jun 15 19:18:12 UTC 2005
Ben Steeves wrote:
>Hi Folks,
>
>I'm not trying to start a flamewar or anything, this is an innocent question:
>
>Is there any compelling reason to run SELinux on a home system that is
>mainly "single-user" if you are running a well-configured firewall
>with almost all services turned off or filtered?
>
SElinux is a second line of defense where security works through layers.
SELinux strict policy in FC2 (disabled by default) would make the system
much more secure but requires manual customisations depending on the
usages. For FC3, Red Hat ( or more specific Dan Walsh) has come up
with the SELinux targetted policy enabled by default where there were
only a dozen deamons protected through SElinux which didnt make much of
a difference in the desktop but also meant that it didnt get in your way
and it didnt hurt to have to enabled it. FC4 has increased the number
to 91 deamons where some of them do make a change for home users too. I
dont think its obsolutely required in the sense that nothing *depends*
on it but it would be a good idea to leave it on for the simple reason
that it offers you security that no amount of firewalling would do. You
can think of SELinux as a internal sandbox or firewall between
applications themselves. Specifically its not just a server side
security thing.
Hope that answers you
regards
Rahul
More information about the users
mailing list