[lug] Re: SELinux
David L. Anselmi
anselmi at anselmi.us
Sat Mar 11 15:12:42 MST 2006
Sean Reifschneider wrote:
> On Sat, Mar 11, 2006 at 10:10:57AM -0700, David L. Anselmi wrote:
>
>>I'm disappointed the selinux is being added to Linux distros. It would
>>be nice if it was a package you could install separately.
>
> For SELinux to be able to work, it has to be fairly invasive.
I figure as much. But I'm an idealist and it would be nice if there
were a way to leave it out altogether. And especially to make sure it
doesn't get turned on without being very clear to the user how to deal
with it to avoid things like:
http://www.tummy.com/journals/entries/kevin_20050614_113430
The kernel and filesystems may support it without having to actually
load the modules or use the file attributes. But maybe not.
[...]
> I imagine that you don't really understand it if you don't think it
> provides any value... Out of the box on FC4/CentOS4 with it set to
> "Enforcing", it will entirely block web-based attacks like the awstats
> exploit that has been so popular lately. It also allows you to do even
> more advanced things like Kevin has done with his firewall -- the "root"
> user is just a regular user with no additional privs.
It's not that I don't understand it, I just don't need the features. So
to me it doesn't make my systems better or easier but takes time to
learn and configure. Fortunately whatever Debian is doing with it
hasn't broken anything.
Really I'm curious what people are using SELinux for that make them
value it (and saying "I can't imagine a use for..." seems to be a pretty
good way to get replies ;-)
Dave
More information about the LUG
mailing list