[CentOS] SELinux - way of the future or good idea but !!!

Les Mikesell lesmikesell at gmail.com
Mon Nov 29 22:19:57 UTC 2010

On 11/29/2010 4:09 PM, Christopher Chan wrote:
>>>> In reality, I am not at all sure that a quantum leap in complexity
>>>> adds to security at all. Any proper use of old-school group
>>>> permissions can give as finely-grained a security policy as you would
>>>> like.
>>> No, it won't.
>>> Suppose I'm running CentOS on a workstation, and have a need to access a corporate webapp written in Flash, read corporate documents in PDF, and use other applications written in Java.  So I'm going to be living in my browser for most things corporate.
>>> How can I prevent a compromised PDF from gaining an attacker access to my entire home directory?  More to the point, how to I prevent that PDF from gaining WRITE access to files in my home directory (say, .bashrc for instance)?
>> If you don't trust your software, run it under a uid that doesn't have
>> write access to anything important - or in a VM or a different machine
>> for that matter.  X has no problem displaying programs running with
>> different uids or locations.
> Hurrah! That's it! Just move the problem elsewhere.

Yes, if you are concerned about security of certain files it is indeed a 
good idea to run software you don't trust elsewhere.  And if the problem 
is not trusting software, why are you putting blind faith in the SELinux 

> Oh, you snipped out
> a bit too much. Write access is not just the problem. Being able to
> upload and execute is also a problem. Can you say 'bot'?

You don't need SELinux to mount the space writable by the uid in 
question with the noexec option.

   Les Mikesell
    lesmikesell at gmail.com

More information about the CentOS mailing list