[CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen
lowen at pari.edu
Wed Dec 8 15:21:36 UTC 2010
On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
> I think you've missed the point that 'all that stuff' (being traditional unix
> security mechanisms) are not all that insecure. It is only when you get them
> wrong that you need to fall back on selinux as a safety net. And if you can't
> get the simple version right, how can you hope to do it right with something
> wildly more complicated?
Alright, pray tell how I, a desktop Linux user, can, without VM's and without having to switch users, protect my files from a PDF attack through Adobe Reader? Or a surf-by web infection (NoScript can help; NoScript is also a pain)? Or a flash bug? Or any other exploit an attacker will try to use (and the metasploit framework, among others, makes it trivial to set up these) that doesn't require a root exploit to drop stuff in your .bashrc?
Real world: AJAX, Flash, and Java applets are required for many corporate web sites. They are also required for online banking and other online SaaS applications, including cloud applications. PDF fill-in forms are required in many cases as well. When one of those are compromised (not if, when), how will standard user-based protections help you in a way that doesn't require highly inconvenient solutions like switching users or running 'dangerous' apps in a VM?
(yes, I run plenty of servers, and I have been a VMware user for a very long time. But the desktop security use case often gets short shrift, and thus I raise that banner, being that I have been a desktop Linux user for 13+ years)
More information about the CentOS
mailing list