[CentOS] Running SELinux necessary for the average user?

Thu May 3 05:40:39 UTC 2007
Les Bell <lesbell at lesbell.com.au>

"Preston Crawford" <me at prestoncrawford.com> wrote:

>>
Is it necessary for my machine to be fairly secure?
<<

No, as long as you take all the usual precautions:

* Removing - or at least not running - unnecessary services
* Keeping the system patched up-to-date (easy with yum, etc.)
* Choosing strong passwords - or not using passwords for login across the
Internet at all; generate an OpenSSH RSA 1024-bit key and use that instead
* Never use protocols that transmit passwords in plaintext across the
Internet (telnet, POP/IMAP without SSL, etc.)
* Never logging in as root, but only using su to become root when
necessary, for as short a time as necessary
* Adding some firewall rules to (e.g.) rate-limit SSH connections to block
brute-force password-guessing attacks
* Use Postfix rather than Sendmail (though Sendmail has stood the test of
time. by now)

These are the major "good practices" required, though some people will
doubtless suggest others (and probably quibble with some of the above ;) ).
There have been Linux servers and workstations sitting on the Internet for
many years without SELinux support, demonstrating it's not necessary.

SELinux is a Thing of Beauty and a Joy Forever; I've used it myself for
specialised situations, but people can - and do - run securely for years
without it.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909