SElinux
Eugen Leitl
eugen at leitl.org
Mon Apr 3 08:25:15 UTC 2006
On Mon, Apr 03, 2006 at 12:34:07AM -0700, Craig White wrote:
> if Windows exploits are any indication, it is primarily desktop systems
> which are the target for malware that infects the system for nefarious
No disagreement.
> purposes. Why? Because the users are often not knowledgeable, run with
> elevated privileges, travel to web sites that attempt every conceivable
> exploit in a plethora of scripting languages, etc.
Yes. But more packages -- more opportunities for SELinux/RSBAC/grsecurity
to break your system. If a user has to choose between a secure or a functional
system, he will choose the one that works.
> The policy updates from Fedora have been frequent and are automatically
> installed/applied
Empirically, I had SELinux breaking services on my desktop. It is
hard enough to keep the system running in Fedora Core land as it is.
No need to extra handicap.
It is reasonable for a sysadmin to craft and review security policy
on a stable (=static) server with few packages installed and few
services offered. Especially, if you're paid to do it.
Trying to do this on a rapidly evolving desktop with a rich set
of packages, most of them pulled in from a dozen of depositories
run by people with not very high stability standards (FC is bleeding
edge, after all) is a) not something most people enjoy b) takes
more time that most people have, especially if it's a hobby.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20060403/78dbcd76/attachment-0002.bin
More information about the users
mailing list