[CentOS] can't enable selinux CentOS 6.5

Valeri Galtsev galtsev at kicp.uchicago.edu
Tue Dec 30 22:07:25 UTC 2014


On Tue, December 30, 2014 3:45 pm, James B. Byrne wrote:
>
> On Tue, December 30, 2014 03:18, Digimer wrote:
>> What possible reason could they have for that?
>>
>> On 30/12/14 02:17 AM, Laurent Dumont wrote:
>>> By any change, is it a VPS? I know that my CloudAtCost (very cheap but
>>> extremely unreliable provider) prevents you from using SeLinux on their
>>> Centos image.
>
> No mysterious breakages == lower support costs.  The same reason MicroSoft
> shipped everything on and open for years and thereby built up the malware
> industry from scratch.

I have that vague feeling that what I'm about to say will probably be
declared wrong... Still. From the very beginning I do not consider SELinux
adding to the security of the system. How can it if it can be turned off
on the fly? On the other hand, it adds hundreds of thousands of lines to
kernel code which does exactly opposite: deteriorates security by
potentially introducing bugs. I discovered at some point that there are
other people out there who share this opinion ;-)

So, my question is: can someone design attack scenario which would be
successful if it were not for SELinux, and which is thwarted by SELinux.
Note that the fact that script kiddie just forgot to put as a first line

/usr/sbin/setenforce 0

doesn't make such example a solid case pro SELinux for me.

Thanks a lot for your insight! (Always hoping to learn ;-)

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++



More information about the CentOS mailing list