Hi, I don't quite agree with you. Let me expose my views so each member of the list can weight pros and cons: > Not answering this thread, but would like to ask some related points > for anyone who may be listening in: > > 1. RPMs. > > For practically everything else, I use RPMs for installation. For > Squid, I've moved away from this approach. Standard RPMs still provide > only 3.1.10. Non-standard RPMs, you have no idea where the next one is > coming from, or whether it suits your needs. If you compile-your-own, > you get the version you want, anytime you want In my experience using "unofficial" rpms from the community is way better than compile-your-own. More people try, test and fix unofficial rpms than your own build. When you get someone providing those RPMs for many releases, lie Eliezer, you can trust it almost like the "official" community packages from your distro. Besides, in the rare occasions you really need a custom build you can start from the SRPM and still get dependency management, integrity verification and other RPM/yum features that you loose then you compile-your-own. Better to help improve the RPM packages for the benefit of all the community than selfishly wasting your time on a build only for yourself. > 2. SELinux > > With Squid, normally you don't let end-users on the same server. In > you don't have end-users on the same server, from a technical point of > view, SELinux doesn't add value. If you have end-users on the same > box, you probably have other issues to deal with first. SELinux is very usefull even if no other user has shell access to the machine. Turning off SELinux is like turning off your firewall. JUST DON'T. Any process that listens for network packets can/wiil sometimes be vulnerable to a buffer overflow or some other kind of remote exploit. SELinux prevents those -- not only the known ones, but also those yet unkown -- from doing more damage. If a cracker finds some squid vulnerability but SELinux is enabled and properly configured, he can only mess with the cache files, the things squid normally has to have write access. But it there's no SELinux, we can find a privilege escalation bug (though rare, those exists) and become root. Even without privilege escalation, we can use the squid proces to open network connections do do damage to other internal servers, as your firewall will normally protect only the network edge, and not internal servers from one another. There are many other possibilities for a succesfull attach to squid (or any other network server). But SELinux liimts even those running as root. if you turn off SELinux, this means you simply don't understand how it improves security. Some time ago you found you should learn how to configure network firewalls. Just accept you now should learn how to configure SElinux. []s, Fernando Lozano
