[CentOS] SELinux - way of the future or good idea but !!!

Christopher Chan christopher.chan at bradbury.edu.hk
Tue Nov 30 12:41:25 UTC 2010


On Tuesday, November 30, 2010 07:45 PM, Leonard den Ottolander wrote:
> Hello Les,
>
> On Mon, 2010-11-29 at 12:35 -0600, Les Mikesell wrote:
>> If you don't trust your software, run it under a uid that doesn't have
>> write access to anything important - or in a VM or a different machine
>> for that matter.  X has no problem displaying programs running with
>> different uids or locations.
>
> Using a "safe uid" will not stop a buffer overflow from happening and
> causing a privilege escalation if such an issue exists in the software.
> SELinux will negate most of the damage by disallowing even the escalated
> process access to resources it shouldn't touch.
>
> With the ever increasing complexity of software is there any software
> you trust? I know I don't. Are you running your Flash plugin in Mozilla
> as a different user than the one you logged into under X? Care to
> elaborate how to accomplish such a feat? Or can you provide any
> pointers?
>

Forget it Leonard. He says he has no problem with SELinux but he has 
strenuously tried to come up with every sort of excuse he can think of 
to tell others to not bother with it. So it seems to me that he is 
either trolling or is willing to make himself a soundboard for others to 
see the need to implement and run SELinux.



More information about the CentOS mailing list