On 9/21/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote:
> Jim Perrin wrote:
> > On 9/21/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote:
> >
> >
> >>WRT SELinux, just disable it is my suggestion. Or perhaps
> >>switch to another distro which is not yet infected.
> >
> >
> > Why yes, ignoring security or bypassing it alltogether rather than
> > learning how to protect your systems is an EXCELLENT idea. I highly
>
> Sarcasm is unbecoming. I suppose you are unaware of the
> long and bitter discussions on Fedora about SELinux?
I'm aware of them, and I'm on the side supporting selinux, however it
doesn't make much sense for desktop systems. Servers on the other hand
can very much benefit from selinux.
> SELinux does not prevent nor report people "poking your server".
Depends on how you define poking. Mine may be different but I consider
portscans and such "The cost of doing business online". If someone's
trying an apache/php etc exploit, that's a poke. And selinux does
report the ones which attempt to read/write places where it's not
supposed to.
> SELinux is complicated, FULL STOP. It's a wrong-headed approach.
Complicated doesn't mean that it's wrong headed. it simply means it's
complicated. By this logic people shouldn't use sendmail either (okay,
I dislike sendmail but you get my point).
> Any security system which is not already rock solid is not going
> to be made any more secure from attack by adding SELinux. It might
> possibly suffer somewhat less damage, though that's debatable.
This just isn't correct. Keeping programs from accessing things they
don't need access to is ALWAYS better than not. With traditional DAC
owner/group/world permissions, this just isn't possible once you start
adding complexity.
> > For webservers, the belt+suspenders combination of mod_security and
> > selinux is damn near unbeatable.
>
> You have personal experience with SELinux "saving" your system?
Yes, actually. We have a few systems here which run older versions of
insecure php applications. SELinux keeps folks from dropping shell
scripts into place on the system (a fairly common attack) and
mod_security keeps the sql injections out. Added system security
features help, but on the older (RHEL3 boxen) attackers can mostly
just walk right in.
--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
