I agree with this 100%. We do need to get rid of the root user. RedHat shouldn't even configure a root password. It should instead configure a regular user password and give that user sudo. All of the new servers I have deployed at my shop have SE Linux running in targeted policy. Once I get some more things under control I am going to work on switching them to a strict policy. SE Linux is the technology we need to embrace if we really want to avoid becoming a serious target for viruses and trojans like MS Windows. SE Linux can even protect users from themselves to some degree by wrapping the browser and email programs in a policy which even prevent damage when a user executes an attachment from his email program. Attachments saved out from email can be marked with a certain type and have a restricted security policy since we know they came from an untrusted source. There is lots of potential for good here. A while back Michael Robertson said everything should run as root and that if even if a user runs everything as his own UID and gets exploited he can still lose everything in his homedir which is all that matters to him. SE Linux can negate that argument as well.
I have no problem with not having a root user. I've been running Ubuntu on my laptop for almost 6 months now and I don't miss it one bit. The problem I forsee with SELinux is for the common everyday user. I know some will respond that if you run linux as your desktop, you are not the common everyday user. Perhaps. I am not a sysadmin. I don't even work in the IT sector. I can setup all the common services with minimal difficulty, but I can't seem to get my head around SE Linux. Is it an application? Is a set of tools? I keep hoping to find a nice little gtk(or whatever the widget du jour is) applet that pops up and guides me through securing my box. The article discusses domains which I know aren't of the dns or Active Directory/LDAP variety. I'm guessing they have something to do with various levels of security and permissions, but I can't be sure. When I first started playing with linux, the install and config was the best part. These days I have much less free time to re-install; I just want to get stuff done. It takes the better part of a day (for me) to get a workstation configured and tweaked the way I like it. Adding SE Linux into the mix seems like a whole different beast...something that could take days to do properly. I guess I'm afraid that I would never get around to doing it unless the installer did the bulk of the work for me. How important could it be to have a home workstation running SE Linux? Is the common everyday user going to be able to comprehend what it does and how it protects them and their data? -Mike -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
