[CentOS] SELinux - way of the future or good idea but !!!
Tom H
tomh0665 at gmail.com
Thu Dec 9 15:39:00 UTC 2010
On Wed, Dec 8, 2010 at 11:10 AM, Les Mikesell <lesmikesell at gmail.com> wrote:
> On 12/8/2010 4:04 AM, David Sommerseth wrote:
>> iptables is a de-facto standard on all Linux distributions nowadays. It
>> is not ratified by ISO, IETF or similar ... but how does that make the
>> real life scenario any different? That's just a piece of paper.
>> iptables works, and so does SELinux - when you learn how to use it.
>
> The real life situation is that iptables only works on linux and the way
> it works is distribution-dependent. So what you learn may lock you into
> a platform that may not always be your best choice.
iptables rules are distribution-independent. Different distributions
dump the iptables control and config files in different locations...
>> SELinux came as a result that someone found weaknesses and wanted to try
>> avoid security issues. Just like when firewalls began to become so
>> popular 20-30 years ago or so. There was a need to improve something,
>> and someone did the job. Nobody cared much about firewalls in the early
>> 80's. Why? Maybe because nobody thought anyone would abuse or misuse
>> the network infrastructure?
>
> Does that mean you would not be comfortable moving your applications to
> SUSE, Solaris, OS X, Windows, etc.? I don't want that kind of lock-in.
SUSE has apparmor (which it considers equivalent/superior) but you
probably can install selinux on it (you can on Ubuntu and Debian).
Solaris has Trusted Extensions for MAC and RBAC.
OS X has a Macified version of TrustedBSD.
Windows has UAC.
(In the same way that the last three have their own firewall apps!)
More information about the CentOS
mailing list