Who would / Who wouldnt need to run SELinux?
I have linux server at home. Would I need to run SELinux?
What are the advantages of SELinux?
What is the average home user doing?
On Tue, 2006-04-04 at 23:15 -0500, Chris Weisiger wrote:
Who would / Who wouldnt need to run SELinux?
I have linux server at home. Would I need to run SELinux?
What are the advantages of SELinux?
What is the average home user doing?
---- it's an extra layer of security. You of course can shut it off or you can work through any 'blocks' that it creates that keep you from doing some things. It's up to you.
It would appear that most on this list shut it off, judging only by the relatively few SELinux questions on this list.
I would think that the 'average home user' is more likely to run Fedora than CentOS because the desktop applications are much newer.
Craig
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Apr 04, 2006 at 09:23:25PM -0700, Craig White wrote:
On Tue, 2006-04-04 at 23:15 -0500, Chris Weisiger wrote:
Who would / Who wouldnt need to run SELinux?
I have linux server at home. Would I need to run SELinux?
What are the advantages of SELinux?
What is the average home user doing?
it's an extra layer of security. You of course can shut it off or you can work through any 'blocks' that it creates that keep you from doing some things. It's up to you.
It would appear that most on this list shut it off, judging only by the relatively few SELinux questions on this list.
I would think that the 'average home user' is more likely to run Fedora than CentOS because the desktop applications are much newer.
When I first started with CentOS, I let it off. Today, I use it on all my machines.
If you are only using CentOS on workstations, I would tell you to keep it off. On the other hand, for servers, it does add an extra layer of security.
I keep it active on my workstandations, so I can practice for my servers. It is also good to have a single way of running things.
All told, once you understand the basics, SELinux is a nice asset. But it is not easy.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 5 Apr 2006, Rodrigo Barbosa wrote:
All told, once you understand the basics, SELinux is a nice asset. But it is not easy.
Well said!
-- Paul Heinlein heinlein@madboa.com
On Wed, 2006-04-05 at 07:27, Paul Heinlein wrote:
On Wed, 5 Apr 2006, Rodrigo Barbosa wrote:
All told, once you understand the basics, SELinux is a nice asset. But it is not easy.
Well said!
The problem is that you not only have to understand SELinux, you have to understand the access requirements of all the applications that it controls. These may be fast-changing and controlled by different teams of people, they may have been done long ago by people who have moved on, or they may be third party products dropped in because no one locally wants to deal with that kind of stuff.
On Wed, 2006-04-05 at 09:55 -0500, Les Mikesell wrote:
On Wed, 2006-04-05 at 07:27, Paul Heinlein wrote:
On Wed, 5 Apr 2006, Rodrigo Barbosa wrote:
All told, once you understand the basics, SELinux is a nice asset. But it is not easy.
Well said!
The problem is that you not only have to understand SELinux, you have to understand the access requirements of all the applications that it controls. These may be fast-changing and controlled by different teams of people, they may have been done long ago by people who have moved on, or they may be third party products dropped in because no one locally wants to deal with that kind of stuff.
---- running a server on CentOS 4, there isn't much you have to deal with on SELinux - and I would expect that you could relatively easily get answers to the issues caused by SELinux to the point where you wouldn't have to learn much.
Craig
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Apr 05, 2006 at 09:55:47AM -0500, Les Mikesell wrote:
On Wed, 2006-04-05 at 07:27, Paul Heinlein wrote:
On Wed, 5 Apr 2006, Rodrigo Barbosa wrote:
All told, once you understand the basics, SELinux is a nice asset. But it is not easy.
Well said!
The problem is that you not only have to understand SELinux, you have to understand the access requirements of all the applications that it controls. These may be fast-changing and controlled by different teams of people, they may have been done long ago by people who have moved on, or they may be third party products dropped in because no one locally wants to deal with that kind of stuff.
Or you just do as I do, and keep an eye on "dmesg".
Sure, it is a stupid way to do it, but it works.
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Tue, 2006-04-04 at 23:15 -0500, Chris Weisiger wrote:
Who would / Who wouldnt need to run SELinux?
I have linux server at home. Would I need to run SELinux?
What are the advantages of SELinux?
What is the average home user doing?
http://www.redhat.com/v/swf/SELinux/
On Tue, 2006-04-04 at 23:15 -0500, Chris Weisiger wrote:
Who would / Who wouldnt need to run SELinux?
On servers it is useful as an extra line of defense. I have it enabled on my workstation-ish machines, because it hasn't got too much in the way. Of course, YMMV.
I have linux server at home. Would I need to run SELinux?
I guess that it is up to your own judgement. If the server is only used internally and is not connected to the net, tuning SELinux for your goals may not be worth the hassle. If the server provides services to the outside world, it is seriously worth considering to use SELinux. E.g. a fairly standard webserver usually requires only little modification to the default policies. The upstream vendor's "SELinux Guide" helped me a lot with making smaller modifications:
http://www.centos.org/docs/4/html/rhel-selg-en-4/
What is the average home user doing?
Most home users that I have seen disable SELinux. Of course, there is a difference between "is" and "ought".
-- Daniel
Chris Weisiger wrote:
Who would / Who wouldnt need to run SELinux?
I have linux server at home. Would I need to run SELinux?
What are the advantages of SELinux?
What is the average home user doing?
Up to you. I imagine the average home user does not run SELinux if it gets in their way, but does if the setup is easy. Just a guess though.
If you are worried about security, I would check out Bastille http://www.bastille-linux.org/running_bastille_on.htm , and Firestarter http://www.fs-security.com/.
Bastille changes some of the CentOS default settings to more secure values, firestarter is an iptables front end that will allow you to easily block outgoing ports and ban IP subnets (two things system-config-security can not do).
-
Chris Weisiger -
Craig White -
Daniel de Kok -
Ignacio Vazquez-Abrams -
Les Mikesell -
Paul Heinlein -
Rodrigo Barbosa -
Ryan