SELinux

James Mckenzie jjmckenzie51 at earthlink.net
Tue Aug 31 16:27:32 UTC 2010 

Ralf Corsepius <rc040203 at freenet.de> wrote:
>Sent: Aug 31, 2010 8:43 AM
>To: users at lists.fedoraproject.org
>Subject: Re: SELinux
>
>On 08/31/2010 05:32 PM, Bruno Wolff III wrote:
>> On Wed, Sep 01, 2010 at 00:14:09 +0900,
>>    Takehiko Abe<keke at gol.com>  wrote:
>>> ;;; sorry other one goes straight to you
>>>
>>>   >  Linus is not exactly famous for his ability to understand security
>>>   >  concepts. I find the fact your argument is produced by google and
>>>   >  cut/paste rather than technical material ... enlightening
>>>
>>> Well, please educate me. All I hear from advocates is "more security"
>>> without a concrete example. You mentioned the danger of emails get
>>> stolen without SELinux. Please give me the scenario. So we can gauge
>>> the risk.
>>
>> If you read email you need selinux. If you read email with a client that
>> fires up plugins to read special content (e.g. html, pdfs, flash) then you
>> really need selinux.
>>
>> If you use a web browser to view more than a short list of trusted sites,
>> you need selinux.
>>
>> If you run network services accessible from outside the machine then you
>> need selinux.
>>
>> If you run binaries from semitrusted groups (this includes most commercial
>> software) then you need selinux.
>
>You don't _need_ SELinux in any such cases.

I disagree, but that is just my nature.  If you wander off onto a malware site, you really need SeLinux in that case.
>
>SELinux is aiming at catching malfunctioning/misbehaving programs and 
>_may_ prevent damage in use-cases such as those you list.
>
>However, SELinux also causes mal-functions and prevents applications 
>from operating properly. Semi-educated tweaking SELinux may even cause 
>further damage up to rendering systems completely unusable.
>
>To me this means: If the defaults work, use it. If it doesn't, switch it 
>off, otherwise you might easily shoot yourself into the foot.
>
If you don't know what you are doing with SeLinux it is very easy to misconfigure it and lock up a system.  If you don't know what you are doing, now is the time to ask for help, not trapse off and try it on your own.  SeLinux is VERY unforgiving and that is what most people fear about it.  Remember, it is a Security system first.

That is why folks are so scared of it.  Sort of like the 'big black cave reported to have a big black bear in it.'  Bring a flashlight (knowledge) and you are ok.  Walk in without one, and you are lunch (and so is your system.)

Yes, you should have SeLinux or some other security system installed on any system that is connected to the Internet.  It is the 'big black cave' we all should respect, not fear.

James McKenzie

More information about the users mailing list