[CentOS] can't enable selinux CentOS 6.5
Ned Slider
ned at unixmail.co.uk
Wed Dec 31 00:41:14 UTC 2014
On 30/12/14 22:07, Valeri Galtsev wrote:
>
> I have that vague feeling that what I'm about to say will probably be
> declared wrong... Still. From the very beginning I do not consider SELinux
> adding to the security of the system. How can it if it can be turned off
> on the fly? On the other hand, it adds hundreds of thousands of lines to
> kernel code which does exactly opposite: deteriorates security by
> potentially introducing bugs. I discovered at some point that there are
> other people out there who share this opinion ;-)
>
> So, my question is: can someone design attack scenario which would be
> successful if it were not for SELinux, and which is thwarted by SELinux.
> Note that the fact that script kiddie just forgot to put as a first line
>
> /usr/sbin/setenforce 0
>
> doesn't make such example a solid case pro SELinux for me.
>
> Thanks a lot for your insight! (Always hoping to learn ;-)
>
Disabling SELinux requires root privileges at which point most all
security implimentations are pretty useless.
Firewalls add much code to the kernel and can also be "turned off on the
fly" by any "script kiddie" with root privileges. Should we discount
them too?
IMHO your arguments are weak with bad examples. The questions you should
be asking is how effective would SELinux be in preventing an initial
remote exploit, or preventing an attacker gaining further escalation of
privileges once they have gained access to the system.
In answer to your question, you will find lots of good real life
examples in Dans' blog here:
http://danwalsh.livejournal.com/
More information about the CentOS
mailing list