Re: Fedora vs OpenSuse

Les Mikesell wrote:
Rahul Sundaram wrote:

I understand that point and it's valid however it is a important differentiation. SELinux with the assorted set of security enhancements have been very useful in mitigating security issues. Even end users who tend to not like SELinux and turn it off have benefited it from it.

While SELinux policies a number of issues have been fixed with software that was using more privileges than necessary or need to be redesigned because there was fundamental flaws.

Can you give some real examples of something where correctly applied standard unix/linux permissions and user/group ids would not work but SELinux does? Or currently-likely bugs in programs that need suid root permissions to open a low-numbered port but otherwise run as a uid with limited permissions that SELinuc might catch. It might be easier to tolerate the backwards-incompatibilities if we had some actual examples of how it has helped anyone.

I already gave one couple of mails earlier in the same thread. There has been several others. Some referenced in Fedora weekly news too. SELinux or MAC security confines individual applications which aren't tied to users in the system. SELinux is a additional layer over traditional security mechanisms and doesn't conflict with it.

You might want to read http://danwalsh.livejournal.com/ and http://www.awe.com/mark/blog.

Rahul

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Fw: [PATCH 2.6.16-rc1-git4] accessfs: a permission managing filesystem
    ... > Accessfs is a permission managing filesystem. ... based on file permissions. ... The kernel already a mechanism for implementing extended security ... With SELinux we see a lot of these userspace assumptions, ...
    (Linux-Kernel)
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    ... Would there be a reason to implement floating labels in SELinux? ... In this case fireflier would need to do only this: ... To have all tasks assigned a security structure, ... * A task has accessed this file, add the task's SID to the group SID of ...
    (Linux-Kernel)
  • Re: ssh -X shop problem...
    ... outside security is delegated to the x86 version of DD-WRT. ... If this install would have Just Workedfrom the gitgo, ... Then yesterday there was a whole gaggle of selinux related stuff that yum ... PAM security session: Success ...
    (Fedora)
  • Re: Root access removed
    ... >>A little bit if time spent on education is much better in the long run ... >proper rennet mixture for curdling, oleo versus diary mixture to meet USDA ... >This is again where a well-configured SELinux setup will solve many problems. ... >technologies should be thought of as ways to improve both security of the ...
    (Fedora)
  • Re: Penalty of SELinux?
    ... Debian has SELinux, although Ubuntu now has ... security, in my opinion -- since it is oh so very easily ... People in the security field believe that pathnames are an ... used for DAC. ...
    (Debian-User)