SElinux

Craig White craigwhite at azapple.com
Sun Apr 2 03:11:51 UTC 2006


On Sat, 2006-04-01 at 17:48 -0800, Kam Leo wrote:
> On 4/1/06, Craig White <craigwhite at azapple.com> wrote:
> > On Sun, 2006-04-02 at 03:01 +0300, Caser wrote:
> > > Hi to all,
> > > is there any risk if i disable SElinux
> > > i have only one user (of course with root)
> > ----
> > SELinux is not just about systems with local account access but about
> > security layering so that if one element is broken, the machine isn't
> > necessarily completely compromised.
> >
> > Is there any risk if you disable SELinux? Yes
> >
> > Should you care is the question you are apparently asking - and the
> > answer I would give you is yes but it's a determination you have to make
> > yourself.
> >
> > Craig
> >
> 
> With SELinux disabled Fedora Core is no better nor worse in regards to
> security than other Linux distributions such as SUSE, Debian, or
> Ubuntu.
----
Is that really relevant? Did my mother always let me go out and play
when my friends were out playing?

SELinux stuff isn't hard. But it does take a few minutes of time and
attention to deal with the 'blocks' that arise - but it is these
'blocks' that confirm why it's installed in the first place.

Granted it's easier to shut it off and I'm sure that when you are
groping for justification for shutting off a layer of security on your
Linux box, your above makes sense. The layer of security is for your
benefit. Heck - why not shut off iptables?  '
/sbin/service iptables stop'

that makes it easier to use too. The reason you don't turn off iptables
is because common sense tells you that it's a mistake. The same common
sense should apply to SELinux - regardless of whether Debian/SuSE/Ubuntu
etc. includes it.

Craig




More information about the users mailing list