On Wed, 2006-09-20 at 18:10 +0100, Peter Farrow wrote: <snip> > Since SElinux seems to spawned as an intern type project and nothing > more, what I object to is it being enabled by default. FUD #1 It is not an interim project for RH ... it will be supported for 7 years in RHEL4 and also if it stays in RHEL5, for 7 years there as well. > > -- when really it should be an option to enable it, which a warning > that it wasn't tested for vulnerabilities, does not > add any official security value to Linux and will of course slow the > system down. FUD #2 It does add security value to the OS ... you have misquoted the site. By limiting the access of certain processes to do things outside certain directories, you mitigate the damage caused by almost any exploitable remote root vulnerability ... it does not, however, FIX the vulnerability. So, it does not make your system less likely to be compromised ... it does limit the damage. Also, the upstream provider does test SELinux ... much like they do for apache, mysql, etc. They will patch and feed back problems to that, just like they do any other package. > Furthermore it adds a layer of > security obfuscation which will in itself lead to administrators > making mistakes and inadvertently lowering security > as it is such a PITA. > FUD #3 It can not lower anything ... if it is misconfigured, it is not any worse than being off (from a security perspective). All the standard system setting will apply. > Unices were configurable to be secure by many a competant > administrator before this addition of bloat to the OS. > > I choose not to use it, but ocassionally on some of my RHEL installs I > forget to turn it off, > if it is off by default I wouldn't need to keep removing it! > Well ... do you forget to add your database to a database server or httpd to your web server and have it functino properly? Probably not. > What I find most curious is, despite the authors of it claiming > nothing of any note about it in terms of security, > and in fact in the link I originally posted the authors go quite some > way to distance themselves from claiming > it adds any actual security, and hasn't been tested for > vulnerabilities as such, that some people still swear by it as > the gospel truth and the only one true path. Whilst such religious > commitment to an unproven cause undoubtedly > shows good faith, I would add that such blind practices are best left > to sunday school or the church sermon. You are just flat out wrong in your assertions ... what they are saying is that it is not a magic bullet. It, when used properly in a layered approach, does make your machines more secure. chown and chmod do not add "security" to your server if installed ... however, as tools, when used properly they certainly can make your server operate more securely. Choose to use selinux or not ... but stop with the FUD please. Thanks, Johnny Hughes <snip> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060920/256de4eb/attachment-0005.sig>