Re: SELinux survey (was RE: Stupid F7 boot loop)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-08-29 at 16:25 +0000, Tom Horsley wrote:
> > I personally have immediately disabled SELinux on any and every box I've
> > ever installed for myself, and grind my teeth any time I even see the
> > word.
> 
> I didn't disable it on the first fedora release it showed up on, and
> spent hours after that just trying to gain enough access to my own system
> to disable it when I found that basically nothing worked. Ever
> since then I not only disable it when installing, but also add
> selinux=0 to the kernel options just to be sure :-).

<g>
 
> > Would any of you out there care to share with me any of your personal
> > experiences with SELinux being useful to you (in any way whatsoever), on
> > a single-user workstation?
> 
> I can't imagine ever having an experience where any form of security
> software turned out to be useful, but I do have a theory that explains
> selinux in fedora and apparmor in opensuse:

You're being a bit facetious, yes? :-) Loosely speaking file permissions
could be considered security software. I certainly wouldn't want to have
to do without THEM.

> Large numbers of government contracts need you to check a box for
> "enhanced security" in order to bid on them, therefore selinux was
> born.
> 
> If redhat had shipped selinux in enterprise when it was in the condition
> it first showed up in fedora, they would have lost every paying
> enterprise customer, therefore they needed a large group of suckers
> to find all the obvious problems.
> 
> That's us :-).

Right. Gotcha. 
So why does that interest us? Gummint contracts used to hold Windows NT
4.0 up as the holy grail of security. Do we really want to appease THAT?
If the *nix namespace has come to the conclusion that it is somehow
insecure or not adequately protected from various exploits and has
determined to do things better, fine. Nothing wrong with that at all.
Evolution. But IS there a security issue? DO things need to be
completely re-flummoxed?

> Cross out redhat and selinux and write in suse and apparmor with a
> crayon, and the same explanation applies :-).
> 

Yeah. Bla. Won't it be fun when every Distro has its own version of the
Gordian Knot tying everything up....

Shouldn't an enhanced level of security be something global? You know,
kernel-level packet filtering, filesystems with a more granular
permissioning structure, per-user chrooting, things like that. Sorry,
starting to wander here.

Thanks for the input.

Andy

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux