On 6/18/07, Stephen Harris lists@spuddy.org wrote:
On Mon, Jun 18, 2007 at 10:31:30AM -0600, Stephen John Smoogen wrote:
On 6/18/07, Stephen Harris lists@spuddy.org wrote:
I've not heard a good reason to keep SELinux enabled, to be honest. For high sensitivity stuff, sure (much like using SEOS on Solaris for high sensitivity machines - eg those where third parties might have access). But as a general rule for all machines? Why?
Good experience... I have had multiple webservers not have successful
Yup. Webservers are machines where third parties might have access, and so are candidates for enhanced security processes such as SELinux or SEOS.
I've never said there are _no_ cases for SELinux. I was questioning it as a general rule for all machines.
Several of the problems were machines that were not connected to the internet or were deep behind firewalls. The problems were that all it takes is one user who doesnt think well to make all those firewalls/issues useless. E.G the person who coming in from work finds a nice shiney USB fob and plugs it into a work computer to see who it belonged to so they could return it. The guy who downloads an attachment supposedly from the partner in France and wonders why the system runs so slowly. The fellow who has an addiction to porn and decides that he just has to meet that 'blonde' who just wrote him about sharing pictures. Etc etc.
While a lot of these things sound Windows specific.. there is a boutique industry in doing it for Linux especially when you know that the company you are wanting to infiltrate is using Linux for 'security means'.
Or to be direct.. there is no such thing as a secure computer.. it is up to you as the site administrator to determine what is safe enough for Your Site using appropriate risk management. If you believe your site has enough methods of protection or are that the cost of extra security (selinux) is not appropriate for your risk model.. you can turn it off.