Re: SELinux

From: Bruno Wolff III <bruno@xxxxxxxx>
Date: Wed, 19 Jan 2011 19:58:03 -0600

On Thu, Jan 20, 2011 at 01:51:03 +0200,
Kostas Sfakiotakis <kostassf@xxxxxxxxxxxxxxx> wrote:

A small comment here , actually SELinux is an NSA invention which
is supposed to provide extra security to your system by controlling
everything and everyone .

selinux is a mandatory access control system. This is needed to prevent
hostile code from doing things on your behalf that it shouldn't.

If you really don't want that protection run selinux in permissive mode.

Since i started this thread , let me clarify something . All i was
trying to do was to open a pdf file simple as that and i do believe
that on my computer am pretty much entitled to do so .

selinux access takes precedence over root access. Though as delivered, root
can set selinux to permissive mode to get around that. If you really want
protection when running as root, you'd at least need to turn that setting
off. (Then you'd need to reboot to change the setting.) You also need to
have root logins use a more restrictive role when logging in. Otherwise
there a lot of ways to subvert the system.

Well i was logged in as root at the momment . What am i supposed to do ??
Logout and login back again just to run Acrobat Reader ????? I do
believe that would be an overkill .

Personally, I'd recommend not using acrobat reader. PDFs are more like
executable programs than documents. So besides having to worry about bugs
in acrobat reader (of which there have been plenty with security implications),
you have to worry about valid PDFs doing things to your system or with
your pre-existing data that you don't want.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Follow-Ups:
- Re: SELinux
  - From: Kostas Sfakiotakis

References:
- SELinux
  - From: Kostas Sfakiotakis
- Re: SELinux
  - From: Tim
- Re: SELinux
  - From: Kostas Sfakiotakis

Prev by Date: Re: why dia 1:0.97-4.fc13 and not for fc14?
Next by Date: Re: Let's talk about HTTPS Everywhere
Previous by thread: Re: SELinux
Next by thread: Re: SELinux
Index(es):
- Date
- Thread

Relevant Pages

Re: ... fedora-selinux
... >doors will have a hollow core and be lighter and thiner. ... I set up the SELinux on one system and noticed that I posted earlier ... What happened on the Fedora Core 1 system with SELinux installed on it, ... I was not able to log into either the root or into the regular user ...
(Fedora)
Re: ssh -X shop problem...
... There's been a few examples where running SELinux in permissive mode has ... Unless you fully audit each and every script and understand what it is ... this is why you don't compile programs, rpms as root, this is why you ...
(Fedora)
Re: Help needed To connect W2K box To Linux
... Go to the SELinux tab and click on Modify SELinux Policy, ... then select Samba and check off the Allow Samba to share users home ... Did you create your share as root or the actual user that has access? ... change permission on the share to the actual user: ...
(comp.os.linux.networking)
Re: Kmail offline
... your GUI sessions as root? ... I will not help you with problems running GUI as root. ... I CAN help you run kino as a regular user though. ... kino not run as a use weather or not you have selinux enabled? ...
(Fedora)
Re: [PATCH 0/3][try 1] init: enable system-on-initramfs
... The kernel has to run an init program in order to hand off control to ... In initramfs, ... The older root= mechanism fell back to a half-dozen places (eventually trying ... you can deduce that nobody would need selinux at all. ...
(Linux-Kernel)