Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ralf Corsepius wrote:
> On 08/31/2010 05:32 PM, Bruno Wolff III wrote:
>   
>> On Wed, Sep 01, 2010 at 00:14:09 +0900,
>>    Takehiko Abe<keke@xxxxxxx>  wrote:
>>     
>>> ;;; sorry other one goes straight to you
>>>
>>>   >  Linus is not exactly famous for his ability to understand security
>>>   >  concepts. I find the fact your argument is produced by google and
>>>   >  cut/paste rather than technical material ... enlightening
>>>
>>> Well, please educate me. All I hear from advocates is "more security"
>>> without a concrete example. You mentioned the danger of emails get
>>> stolen without SELinux. Please give me the scenario. So we can gauge
>>> the risk.
>>>       
>> If you read email you need selinux. If you read email with a client that
>> fires up plugins to read special content (e.g. html, pdfs, flash) then you
>> really need selinux.
>>
>> If you use a web browser to view more than a short list of trusted sites,
>> you need selinux.
>>
>> If you run network services accessible from outside the machine then you
>> need selinux.
>>
>> If you run binaries from semitrusted groups (this includes most commercial
>> software) then you need selinux.
>>     
>
> You don't _need_ SELinux in any such cases.
>
> SELinux is aiming at catching malfunctioning/misbehaving programs and 
> _may_ prevent damage in use-cases such as those you list.
>
> However, SELinux also causes mal-functions and prevents applications 
> from operating properly. Semi-educated tweaking SELinux may even cause 
> further damage up to rendering systems completely unusable.
>
> To me this means: If the defaults work, use it. If it doesn't, switch it 
> off, otherwise you might easily shoot yourself into the foot.
>   
Ralf:

How about we pick a happy middle ground:  Permissive mode.  That way I 
get notified if the 'bad guys' are up to something and I don't get 
locked out when I 'make a mistake'.

We can agree to disagree on the merits and benefits of each and every 
program on the system, but when it comes to security, to remain sane we 
have to have some sort of it.  Otherwise we would go back to being 
islands of computing power.  That is what 'they' want.  Then they can 
beat on us until we submit.

James McKenzie

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux