On Sat, May 17, 2014 at 5:47 AM, Fernando Lozano <fernando@xxxxxxxxxxxxx> wrote: > In my experience using "unofficial" rpms from the community is way > better than compile-your-own. More people try, test and fix unofficial > rpms than your own build. When you get someone providing those RPMs for > many releases, lie Eliezer, you can trust it almost like the "official" > community packages from your distro. > > Besides, in the rare occasions you really need a custom build you can > start from the SRPM and still get dependency management, integrity > verification and other RPM/yum features that you loose then you > compile-your-own. > > Better to help improve the RPM packages for the benefit of all the > community than selfishly wasting your time on a build only for yourself. Compiling your own Squid is straightforward, and have the added flexibility of installing multiple versions (for testing) and adjusting configure options for one's specific requirements when you need it, anytime you need it. RPMs add little value from a technical perspective. In fact, it subtracts value because you have an unnecessary component to maintain and debug. These are technical points - "official" and selfishness doesn't come into it. > SELinux is very usefull even if no other user has shell access to the > machine. Turning off SELinux is like turning off your firewall. JUST DON'T. > > Any process that listens for network packets can/wiil sometimes be > vulnerable to a buffer overflow or some other kind of remote exploit. > SELinux prevents those -- not only the known ones, but also those yet > unkown -- from doing more damage. > > If a cracker finds some squid vulnerability but SELinux is enabled and > properly configured, he can only mess with the cache files, the things > squid normally has to have write access. But it there's no SELinux, we > can find a privilege escalation bug (though rare, those exists) and > become root. Even without privilege escalation, we can use the squid > proces to open network connections do do damage to other internal > servers, as your firewall will normally protect only the network edge, > and not internal servers from one another. > > There are many other possibilities for a succesfull attach to squid (or > any other network server). But SELinux liimts even those running as root. > > if you turn off SELinux, this means you simply don't understand how it > improves security. Some time ago you found you should learn how to > configure network firewalls. Just accept you now should learn how to > configure SElinux. I examine the added-value of a feature and prioritize them accordingly rather than just use them because it's there. For other types of servers, yes, it may have a role, but for a Squid-only server where there is no data to protect, SELinux becomes low down in the list of priorities. The priority is to make sure it only has the access it needs to other internal servers if any, and nothing else, using either iptables, network ACLs, placing it in the DMZ or all of those. There are numerous replies from people who explain why they don't use SELinux in the following link, and they can express it better than I can. http://major.io/2013/04/15/seriously-stop-disabling-selinux/