[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 02:10:56 UTC 2010
Christopher Chan <christopher.chan at bradbury.edu.hk>

----- Original Message ----- 
From: "Les Mikesell" <lesmikesell at gmail.com>
To: <centos at centos.org>
Sent: Tuesday, November 30, 2010 6:19 AM
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!


> On 11/29/2010 4:09 PM, Christopher Chan wrote:

>>> If you don't trust your software, run it under a uid that doesn't have
>>> write access to anything important - or in a VM or a different machine
>>> for that matter.  X has no problem displaying programs running with
>>> different uids or locations.
>>>
>>
>> Hurrah! That's it! Just move the problem elsewhere.
>
> Yes, if you are concerned about security of certain files it is indeed a
> good idea to run software you don't trust elsewhere.  And if the problem
> is not trusting software, why are you putting blind faith in the SELinux
> code?

Oh certainly. That is why there is a separate SELinux user context for 
apache too.
Blind faith in SELinux code? Hey, let's not run anything at all then. 
SELinux provides an extra layer of security to use against exploits that may 
go beyond what we can do with the usual posix provisions. I do not see why 
you have a problem with it.


>
>> Oh, you snipped out
>> a bit too much. Write access is not just the problem. Being able to
>> upload and execute is also a problem. Can you say 'bot'?
>
> You don't need SELinux to mount the space writable by the uid in
> question with the noexec option.
>

IF that zero day exploit actually uploads to that space only.