On Sun, 2014-03-09 at 07:39 +1300, Volker Kuhlmann wrote: > On Sat 08 Mar 2014 16:12:52 NZDT +1300, Steve Holdoway wrote: > > > >Useless bloody security system that offers nothing. No wonder its > > >often just turned off. > > > Security for people who can't understand file permissions. > > Isn't that a bit much ignorance? It is supposed to be a system to protect > you after your box has been partially compromised and your file > permissions have become useless, as well as giving you much finer > control (the ACL thing was already an afterthought, and it shows). Nope. Not in my view. If your server is partially ( if there is such a thing ) compromised, then MACs and DACs will protect you just as well. If the perp has root access then SELinux isn't going to protect you from anything more. > > Also, the *ix file permission system sucks in very large parts. There > are a gazillion files on the system any particular service process does > not need any access to, and as you know, access to anything not needed > should be shut down. selinux/apparmor allow you to do that, as well as > deal with the exceptions that may arise. Your file permissions are > pathetic in comparison. They also don't allow you to control things like > network interfaces or the capabilities system, though I'm unsure off the > top of my head whether selinux does. See above. Being able to read stuff does technically expand the threat surface, but you still can't modify it. The risk of this compared to the added effort configuring SELinux is a no brainer for me, and selinux loses.
It's like these prople who firewall every incoming port, whether there's a service listening on it or not. Looks impressive, but it's just harder to maintain. > > Volker > But then perception of risk is a purely personal thing, coloured by your own experiences... Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa _______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
