SELinux (was: Re: [lug] rpm verify)
Sean Reifschneider
jafo at tummy.com
Sat Mar 11 14:31:47 MST 2006
On Sat, Mar 11, 2006 at 10:10:57AM -0700, David L. Anselmi wrote:
>I'm disappointed the selinux is being added to Linux distros. It would
>be nice if it was a package you could install separately.
For SELinux to be able to work, it has to be fairly invasive. Patched
file-systems and modifications to many parts of the kernel itself make it
not really something that can just be added as a box on the side. The
contexts applied to every file require support in the installer, etc...
So, while you're disappointed that it's in there, I'm quite glad that
they're giving people the option. We just don't live in a world where you
can get by without SELinux. We need the extra security for some things,
and SELinux does a great job of it.
>I have very little interest in selinux because a) it doesn't seem to
>provide any value, and b) it isn't clear that it is the UNIX Way to
>provide the features it has.
The UNIX way to provide the features it has is, you know, to not.
I imagine that you don't really understand it if you don't think it
provides any value... Out of the box on FC4/CentOS4 with it set to
"Enforcing", it will entirely block web-based attacks like the awstats
exploit that has been so popular lately. It also allows you to do even
more advanced things like Kevin has done with his firewall -- the "root"
user is just a regular user with no additional privs.
It's definitely much better than the old "Capabilities" system. That
worked well, but also required kernel patches and only existed in one line
of the Linux kernel.
I think SELinux is an important feature for distributions to have, even
though at the same time I do recommend disabling it for many uses...
Thanks,
Sean
--
No man has a natural right to commit aggression on the equal rights of
another, and this is all from which the laws ought to restrain him. -- T.J.
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the LUG
mailing list