On 9/21/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote: > Jim Perrin wrote: > > On 9/21/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote: > > > > > >>WRT SELinux, just disable it is my suggestion. Or perhaps > >>switch to another distro which is not yet infected. > > > > > > Why yes, ignoring security or bypassing it alltogether rather than > > learning how to protect your systems is an EXCELLENT idea. I highly > > Sarcasm is unbecoming. I suppose you are unaware of the > long and bitter discussions on Fedora about SELinux? I'm aware of them, and I'm on the side supporting selinux, however it doesn't make much sense for desktop systems. Servers on the other hand can very much benefit from selinux. > SELinux does not prevent nor report people "poking your server". Depends on how you define poking. Mine may be different but I consider portscans and such "The cost of doing business online". If someone's trying an apache/php etc exploit, that's a poke. And selinux does report the ones which attempt to read/write places where it's not supposed to. > SELinux is complicated, FULL STOP. It's a wrong-headed approach. Complicated doesn't mean that it's wrong headed. it simply means it's complicated. By this logic people shouldn't use sendmail either (okay, I dislike sendmail but you get my point). > Any security system which is not already rock solid is not going > to be made any more secure from attack by adding SELinux. It might > possibly suffer somewhat less damage, though that's debatable. This just isn't correct. Keeping programs from accessing things they don't need access to is ALWAYS better than not. With traditional DAC owner/group/world permissions, this just isn't possible once you start adding complexity. > > For webservers, the belt+suspenders combination of mod_security and > > selinux is damn near unbeatable. > > You have personal experience with SELinux "saving" your system? Yes, actually. We have a few systems here which run older versions of insecure php applications. SELinux keeps folks from dropping shell scripts into place on the system (a fairly common attack) and mod_security keeps the sql injections out. Added system security features help, but on the older (RHEL3 boxen) attackers can mostly just walk right in. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell