[CentOS] SELinux - way of the future or good idea but !!!

cpolish at surewest.net cpolish at surewest.net
Mon Nov 29 23:02:59 EST 2010


Lamar Owen wrote:

> With SELinux I can set files and whole hierachies to not allow Acrobat
> Reader access of various types, while still alllowing access to those
> areas it needs.  Voila!  Acrobat Reader vulnerabilities and the PDF's
> that exploit them no longer have any power to exploit my system.  Same
> with Flash, Java, and Firefox itself.  If firefox has no need to write
> into my Documents directory, then I can lock out my Documents
> directory to firefox (even when it's running with the right uid:gid
> that would defeat old-school uid:gid based perms) and not worry about
> a malicious website exploiting a firefox zero-day modifying any of my
> files in Documents.

Your enthusiasm for SELinux seems tied conceptually to a workstation
running the set of applications that come with the distribution.
Nothing wrong with that.
-- 
Charles Polisher



More information about the CentOS mailing list