Tracy R Reed wrote: > kelsey hudson wrote: > >I'm a seasoned systems admin, and I log in as root. I always have. I > >always will. SELinux may be great for some things, for the > >ultra-paranoid, and the necessity for things to be ultra-secure, but > >honestly, in the real world 99% of the functionality just isn't > >needed if you set your system up properly, with sane configurations > >and an appropriate firewalling scheme. > > The problem is what do you do when ssh suddenly has a vulnerability such > as a few years ago? Without SE Linux you have no recourse. That affects > pretty much every machine server or not since almost everyone runs ssh.
It affected mostly only the BSDs. It could have affected others, though. Oh, we also had a window so that your vendor could release a patch, and you could apply that patch before it was widely announced. I fondly remember buying into the hype, and I remember getting upset at the OpenBSD folks for over-hyping the vulnerability. I do understand their point, it was their first remote-root exploit in a default install of hte OpenBSD system. A good reason to get jumpy. If you want 100% security, you know the drill: encase in concrete with no network and no power. For something more useable, you will have to live with the *risk* of vulnerabilities. At this time, SELinux errs too much on the Secure side and restricts Usability in Unnacceptable Ways, IMHO. I do think it has a better basis than LIDS did. > >Security, like most things, is all relative. You only employ as much as > >you need. > > Given the number of intrusions and other security related problems who > really has as much security as they need? Most people, actually. Perhaps you meant to ask how many people have as much security as you want them to? -john I'd sooner take down all the systems running Sendmail, PHPNuke, wuftpd or BIND than insisting upon people using SELinux. Yes, this means any past, current, or future versions of said programs. -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
