[CentOS] SELinux - way of the future or good idea but !!!

Daniel J Walsh dwalsh at redhat.com
Wed Dec 8 18:47:07 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/08/2010 10:21 AM, Lamar Owen wrote:
> On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
>> I think you've missed the point that 'all that stuff' (being traditional unix 
>> security mechanisms) are not all that insecure.  It is only when you get them 
>> wrong that you need to fall back on selinux as a safety net.   And if you can't 
>> get the simple version right, how can you hope to do it right with something 
>> wildly more complicated?
> 
> Alright, pray tell how I, a desktop Linux user, can, without VM's and without having to switch users, protect my files from a PDF attack through Adobe Reader?  Or a surf-by web infection (NoScript can help; NoScript is also a pain)?  Or a flash bug?  Or any other exploit an attacker will try to use (and the metasploit framework, among others, makes it trivial to set up these) that doesn't require a root exploit to drop stuff in your .bashrc?
> 
> Real world: AJAX, Flash, and Java applets are required for many corporate web sites.  They are also required for online banking and other online SaaS applications, including cloud applications.  PDF fill-in forms are required in many cases as well.  When one of those are compromised (not if, when), how will standard user-based protections help you in a way that doesn't require highly inconvenient solutions like switching users or running 'dangerous' apps in a VM?
> 
> (yes, I run plenty of servers, and I have been a VMware user for a very long time.  But the desktop security use case often gets short shrift, and thus I raise that banner, being that I have been a desktop Linux user for 13+ years)
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Sandbox -X might help solve some of these problems.  Available in RHEL6

http://danwalsh.livejournal.com/31146.html?thread=212906


http://video.linuxfoundation.org/video/1565

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz/0qsACgkQrlYvE4MpobPougCeKldyS3LSj+OYBikDmeW4HTEe
ERkAn30fV8TX1v8o5dMpptKIsNlQc9WK
=yU84
-----END PGP SIGNATURE-----



More information about the CentOS mailing list