Re: How best get rid of SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tom Rivers wrote:
Gene Heskett wrote:
Questions that need answered _here_, where the whole list will read them are:

Why do the supposed selinux functions, if 10,000% less important than a firewall (my personal estimation anyway) seem to take 10,000 times more maintenance than the far more important firewall?

Hi Gene,

I'm no SELinux expert, but I think you may be wide of the mark with how you have phrased this question. Firewalls and SELinux perform two different functions. Take a typical web server for example. The firewall will need to be changed to allow port 80 traffic through at a minimum. In the case of an attacker who targets that web server, the firewall isn't going to do anything because the door has already been left wide open. SELinux, however, will help prevent a hacked web server process from doing additional damage by limiting what it is allowed to do with the rest of the system. What I'm trying to say is that I think you are comparing apples to oranges.

With respect to your point that firewalls are easier to configure than SELinux, I agree. However, it makes sense that this is the case. Firewalls are merely gatekeepers. Telling them to admit, restrict, or deny traffic isn't really that complex. SELinux, on the other hand, deals with the entire OS and the many ways in which programs can interact with it. In comparison, firewalls deal with a small subset of the number of entities SELinux does.

Could SELinux be more easy to configure and manage? I hope so because I have had my fair share of issues with it. Is it understandable that trying to consolidate every way in which every program can deal with every resource on a computer system is a difficult task? I think so. :)


Tom



Nicely put.

I would put it another way.

A firewall is the fence and locks on your doors and windows. The alarm system is the alerts you get when someone tries to get in.

SELinux is the two pit bulls and rottweiler's guard dogs that stop the person that does get into your house. Once in they are not going to be able to do much damage.

I am no expert either and I admit that I like the new troubleshooter.

--
Robin Laing

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux