Fedora vs OpenSuse

[Arthur Pemberton]

On 6/15/07, Les Mikesell <lesmikesell at gmail.com> wrote:
> Rahul Sundaram wrote:
>
> > I understand that point and it's valid however it is a important
> > differentiation. SELinux with the assorted set of security enhancements
> > have been very useful in mitigating security issues. Even end users who
> > tend to not like SELinux and turn it off have benefited it from it.
> >
> > While SELinux policies a number of issues have been fixed with software
> > that was using more privileges than necessary or need to be redesigned
> > because there was fundamental flaws.
>
> Can you give some real examples of something where correctly applied
> standard unix/linux permissions and user/group ids would not work but
> SELinux does?  Or currently-likely bugs in programs that need suid root
> permissions to open a low-numbered port but otherwise run as a uid with
> limited permissions that SELinuc might catch.  It might be easier to
> tolerate the backwards-incompatibilities if we had some actual examples
> of how it has helped anyone.
>
> --
>    Les Mikesell
>     lesmikesell at gmail.com


Circa FC4, I had a personal server on which I loan a friend of mine
some webspace on which he installed phpBB. The big phpBB flaw came,
and I got rooted. Didn't know how I got rooted, but I know that I was
rooted. So I wiped the HDD, reinstalled everything, including phpBB,
since I didn't know that is where the hole was. But this time I took
some time to install SELinux. This time, when someone hacked through
phpBB, they didn't get any further than /tmp. They also were unable to
remove their trail like they did the last time, so I found the phpBB
problem and removed it. I still wiped the machine to be on the safe
side, but didn't put phpBB back in.

-- 
Fedora Core 6 and proud