Re: SElinux

From: Benjamin Franz <snowhare@xxxxxxxxxxx>
Date: Sun, 2 Apr 2006 06:55:01 -0700 (PDT)

On Sat, 1 Apr 2006, Craig White wrote:

SELinux stuff isn't hard. But it does take a few minutes of time and
attention to deal with the 'blocks' that arise - but it is these
'blocks' that confirm why it's installed in the first place.

Granted it's easier to shut it off and I'm sure that when you are
groping for justification for shutting off a layer of security on your
Linux box, your above makes sense. The layer of security is for your
benefit. Heck - why not shut off iptables? '
/sbin/service iptables stop'

that makes it easier to use too. The reason you don't turn off iptables
is because common sense tells you that it's a mistake. The same common
sense should apply to SELinux - regardless of whether Debian/SuSE/Ubuntu
etc. includes it.

I decline to have SELinux occasionally grab the steering wheel and try to take my machine over a cliff so I can act as Redhat's Beta Tester for their selinux-policies. It is, and will remain, turned disabled on my production servers until I am comfortable that more learning curve incidents by Redhat where an update causes previously working machines to suddenly have problems are not going to happen.

Redhat did significant damage to my trust level regarding their ability to safely deploy things that significantly extend the security model of linux with their handling of both auditd and SELinux. Too often lately, Redhat's efforts on the security front have 'made my machine more unstable' rather than 'made it more secure'.

In a year or two, when show stopping bugs in SELinux policies that were being updated _literally_ every other week are only distant memories, I'll consider turning it on in any higher mode than 'permissive'.

Until then, the conservative position, the one focused on minimizing the threats to my system's stable operation from _whatever_ source (INCLUDING system updates from Redhat) says 'SELinux stays disabled'.

--
Benjamin Franz

"Once burned, twice shy."

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Follow-Ups:
- Re: SElinux
  - From: Mike McCarty
- Re: SElinux
  - From: Craig White

References:
- SElinux
  - From: Caser
- Re: SElinux
  - From: Craig White
- Re: SElinux
  - From: Kam Leo
- Re: SElinux
  - From: Craig White

Prev by Date: system-config-soundcard not displaying USB audio device
Next by Date: Re: SElinux
Previous by thread: Re: SElinux
Next by thread: Re: SElinux
Index(es):
- Date
- Thread

Relevant Pages

Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
... Would there be a reason to implement floating labels in SELinux? ... In this case fireflier would need to do only this: ... To have all tasks assigned a security structure, ... * A task has accessed this file, add the task's SID to the group SID of ...
(Linux-Kernel)
Re: ssh -X shop problem...
... outside security is delegated to the x86 version of DD-WRT. ... If this install would have Just Workedfrom the gitgo, ... Then yesterday there was a whole gaggle of selinux related stuff that yum ... PAM security session: Success ...
(Fedora)
Re: Root access removed
... >>A little bit if time spent on education is much better in the long run ... >proper rennet mixture for curdling, oleo versus diary mixture to meet USDA ... >This is again where a well-configured SELinux setup will solve many problems. ... >technologies should be thought of as ways to improve both security of the ...
(Fedora)
Re: Penalty of SELinux?
... Debian has SELinux, although Ubuntu now has ... security, in my opinion -- since it is oh so very easily ... People in the security field believe that pathnames are an ... used for DAC. ...
(Debian-User)
Re: AppArmor FAQ
... don't require changing applications. ... modified to be SELinux aware - only a small handful of security aware ... bits in addition to ACLs or an SELinux label. ... understanding both SELinux policies and AppArmor profiles is ...
(Linux-Kernel)