[CentOS] SELinux - way of the future or good idea but !!!

Les Mikesell lesmikesell at gmail.com
Mon Nov 29 13:35:13 EST 2010


On 11/29/2010 10:40 AM, Lamar Owen wrote:
> On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
>> In reality, I am not at all sure that a quantum leap in complexity
>> adds to security at all. Any proper use of old-school group
>> permissions can give as finely-grained a security policy as you would
>> like.
>
> No, it won't.
>
> Suppose I'm running CentOS on a workstation, and have a need to access a corporate webapp written in Flash, read corporate documents in PDF, and use other applications written in Java.  So I'm going to be living in my browser for most things corporate.
>
> How can I prevent a compromised PDF from gaining an attacker access to my entire home directory?  More to the point, how to I prevent that PDF from gaining WRITE access to files in my home directory (say, .bashrc for instance)?

If you don't trust your software, run it under a uid that doesn't have 
write access to anything important - or in a VM or a different machine 
for that matter.  X has no problem displaying programs running with 
different uids or locations.

-- 
   Les Mikesell
    lesmikesell at gmail.com


More information about the CentOS mailing list