SELinux

James Mckenzie jjmckenzie51 at earthlink.net
Wed Sep 1 14:52:57 UTC 2010 

Takehiko Abe <keke at gol.com> wrote:
>Sent: Sep 1, 2010 5:25 AM
>To: Community support for Fedora users <users at lists.fedoraproject.org>
>Subject: Re: SELinux
>
> >> I assume you know the chances that an average linux user actually get
> >> exploited in that way is very low.
> >
> > I would love to see the academic paper reference for this and the
> > analysis as to why - maybe it's because most of them use SELinux ;)
>
>Just count the known incidents of such exploits. ZERO. No WMD.

Pure bullshit.  There are PLENTY of UNIX/Linux systems that are 'powned'.  SeLinux prevents but does not stop this, if running in permissive mode.  In enforcing mode, all hell breaks loose.  At least you will be aware that this has happened and in enforcing mode the attack maybe stopped.  In enforcing mode, you can attempt to evaluate and eliminate the damage.  You don't READ about this because most companies don't want to admit their security system don't work. 
Remember the TV add about the fact that the firewall did not stop the 17 year old hacker from taking almost 200,000 credit card records and then building the robot of his dreams (this was an actual event folks, don't laugh)?  This MIGHT have been prevented if the company used and enforced a high quality security system like SeLinux.  SeLinux acts as a host based security system and is only as good as YOU make it.  If you don't want it, you don't have to have it.  But when the PCI folks (aka MasterCard/Visa/AMEX/Discover/JCB) shut off your ability to accept and process Credit/Debit transactions, you have no one to blame but yourself.  When your competition 'mysteriously' shows up with your design, then you have to ask, "How did they get that?"  Security systems are there for a reason.  We all have information that others desire and it is up to us to ensure that it does not appear in the hands of the 'bad guys'.  So, are you going to run around the Internet 'naked' or are you going to use every tool at your hands (Bastille/iptables/SeLinux)?  I prefer the latter scenario.  Of course, a very determined cracker is going to get in, but the ordinary Joe is not.

BTW, the EASIEST system to 'pown' is a Mac.  I'll leave it up to you to do the work (Google is definitely your friend with this.)

Please remember, it is up to YOU to protect YOUR data, no one else.

James McKenzie

More information about the users mailing list