On Wed, Jan 16, 2008 at 09:19:38PM +0100, Valent Turkovic wrote: > On Jan 16, 2008 9:03 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote: > > > Hi, > > > I believe that SELinux is a great linux server security hardening tool > > > but that has little use in desktop linux usage and it confuses > > > ordinary desktop users. > > > > It is of great use in a desktop spin. On my 'desktop' install for my > > laptop I have many many system daemons running under a confined domain > > You, of course, will always have the ability to choose to install it > and use it. > > > > If it hasn't been discussed before I would like to propose that on > > > desktop cd spin SELinux is not installed by default, of course after > > > discussion and approval from you (fedora devels). > > > > No. SELinux provides very real & important protection for desktop users. > > Can you give me examples of this protection over fedora 9 without > SELInux or with SELinux in permissive mode? Yes. SELinux mitigated against the recent HPLIP security flaw which would have allowed arbitrary code execution as root. http://james-morris.livejournal.com/25140.html https://rhn.redhat.com/errata/RHSA-2007-0960.html There have been other similar scenarios where security flaws have been prevented, or their damage mitigated by presence of SELinux Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
