[CentOS] selinux stuff - I just don't get

Jim Perrin jperrin at gmail.com
Mon Nov 14 16:05:48 UTC 2005


On 11/14/05, Les Mikesell <lesmikesell at gmail.com> wrote:
> On Mon, 2005-11-14 at 08:29, Jim Perrin wrote:
> > >
> > > Selinux just adds bloat that we've managed without for many many years.
> > >
> >
> > We used to manage just fine with telnet for many many years also, and
> > these days I wouldn't think of running accessing a machine via telnet.
> > If you don't change with the times, you're going to get steamrolled by
> > them.
>
> But note that there have been times that having ssh enabled exposed
> your system to additional exploits.

I never said it didn't. However it protected people from far more than
it allowed, which was my point. With ssh, it was more diffcult to gain
access to the system simply by running grep against a packet dump for
a username and password as was the case with telnet.

>
> > Another layer of complexity to allow another layer of
> > > holes/backdoors/exploits.
> >
> > Given the organization who gave us selinux and their dire need for
> > security, I get the feeling it'll block many more problems that it
> > allows, just as ssh did.
>
> Except for the versions of ssh that allowed exploits...
>

See point above.




--
Jim Perrin
System Architect - UIT
Ft Gordon & US Army Signal Center



More information about the CentOS mailing list