On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
But that means you were running software with vulnerabilities or a user would not be able to become root anyway. Is that due to not being up to date (i.e. would normal, non-SELinux measures have been enough), or was this before a fix was available?
By definition we are all running software with vulnerabilities. Those vulnerabilities may not be public knowledge yet, but they are there, and many are likely known by the blackhats already, and kept 'mum.'
Fixing vulnerabilities and keeping up to date alone is insufficient to keep you secure. Can you say 'zero day?'
SELinux is a powerful tool in helping combat zero day exploits from succeeding, in many cases.
Can it be a pain? Sure it can. It has improved greatly, in my experience, thanks in no small part to the dedicated Fedora team working on selinux packages. This inlcudes the upstream developers, the Fedora packagers, the QA team, and ESPECIALLY the Fedora users who take time to file informative and useful reports while using the system with SELinux in enforcing mode. No pain, no gain.
I've run with SELinux in enforcing (targeted) mode on my laptop, now, since Fedora 11, and have only had two issues that required some head-scratching. One was solved by a relabel. The other was a little more devious, but a little tweaking which in permissive mode showed me the solution. I did learn a couple of really good lessons from that, though. The first was to always keep a Fedora Live boot media with the laptop (CD or USB, or another partition on the hard disk). The second was that there are some updates that must occur in pairs, and occasionally a relabel of at least part of the filesystem is going to be required. But that's not hard to trigger, and isn't that inconvenient.