Re: No need for AV tools on Linux, eh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim:
>> Well, it /could/ stop either threat, however we don't run SELinux
>> as tightly as it could be run.

Darr:
> I'm not sure who "we" is

Us using it, and them who preset its parameters...

> but I run it in restricted mode

What's "restricted" mode?

There's "enforcing" (SELinux doing what it does), "permissive" (SELinux
permitting everything and merely logging it), and "disabled" (self
explanatory) modes.

With policies, we currently use "targeted," where some specific things
are targeted to be controlled by SELinux (known problems, or considered
to be a good idea), and other things are virtually left unmolested
(either because putting restrictions on everything, with a "strict"
policy, causes so many problems that the computer becomes unusable, or
good ways to do such restrictions haven't been worked out yet), or have
only generic restrictions placed upon them.

You probably want to look up targeted versus strict policy, to get more
background on that.


> and rarely even get told something has mislabeled files... and when I
> do get such a message, an autorelabel and reboot nearly-always fixes
> it (I don't mind rebooting once a month or so...

I can't remember getting any denials on anything that I was doing, other
than a brief play with Google Earth, some time ago (and that was their
fault).  However, I do see various reports about things going on in the
background, that don't appear to be affecting what I'm doing.  So they
tend to get ignored.

For example, there's thousands of these:

Summary:  SELinux is preventing gnome-power-man (xdm_t) "execstack"
xdm_t. 

Detailed Description:  SELinux denied access requested by
gnome-power-man. It is not expected that this access is required by
gnome-power-man and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the
application is causing it to require additional access. 

And hundreds of these:

Summary:  SELinux prevented umount from mounting on the file or
directory "/proc/<pid>/mounts" (type "automount_t"). 

Detailed Description:  SELinux prevented umount from mounting a
filesystem on the file or directory "/proc/<pid>/mounts" of type
"automount_t". By default SELinux limits the mounting of filesystems to
only some files or directories (those with types that have the
mountpoint attribute). The type "automount_t" does not have this
attribute. You can either relabel the file or directory or set the
boolean "allow_mount_anyfile" to true to allow mounting on any file or
directory.

-- 
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux