On Mon, 2007-06-18 at 12:03 -0400, Stephen Harris wrote:
I've not heard a good reason to keep SELinux enabled, to be honest. For high sensitivity stuff, sure (much like using SEOS on Solaris for high sensitivity machines - eg those where third parties might have access). But as a general rule for all machines? Why?
One of the major goals of SELinux is to restrict the impact of 0-day vulnerabilities. If there is an ugly exploit for some network-facing daemon, it is a good idea to restrict the potential damage as possible. Besides that, due to the restrictions that SELinux imposes, it can also catch a class of configuration errors that impact security.
Sure, it does not solve all security problems. But IMO it is a step forward from running daemons with (nearly) the rights of a normal user.
-- Daniel