On Fri, Apr 30, 2004 at 08:34:44AM -0400, Stephen Smalley wrote: > So how would people feel about a separate relaxed policy that allows > everything in the system to run completely unconfined except for a small > set of specific services, e.g. apache, bind, postfix, ... > That would ensure that SELinux wouldn't get in the way of users, while > providing some protection benefit for network-facing services. While I think that a relaxed policy might be useful to server admins who would rather not fix their admin scripts, etc., the full policy ought not be terribly burdensome on a dedicated server. It is on the desktop that SELinux potentially offers the greatest benefit and the greatest burden. Client apps (and particularly GUI client apps) -- browser, e-mail, IM, media players, will be targeted. We laugh at poor MS Outlook users, but social engineering works. A measurable fraction of Linux users will inevitably read their e-mail and follow that link, look at that picture or video clip, play that game applet, etc. It is the client apps that need confinement. While exploiting a client app doesn't immediately give the attacker admin privileges, that's largely irrelevant if the purpose of the attack is to (1) harvest, destroy, or modify the user's data, or (2) use the client at a zombie for some purpose. Confining Postfix and not Mozilla is like double-locking the front door, but leaving the bathroom window open. Regards, Bill Rugolsky
