I am *this* close to disabling selinux!

Kristian Hermansen kristian.hermansen at gmail.com
Sun Apr 29 01:33:37 EDT 2007


On 4/29/07, David Kramer <david at thekramers.net> wrote:
> 1) Thank you.  That worked.

np...

> 2) Will that survive a reboot?  Did it change the default policy, or
> just the running policy?

not sure...I don't like SELINUX :-)  It is very difficult to
use/maintain and it a real PITA.  It really depends what you are
trying to do.  Why do you have it on?  What are you trying to protect
against?  Don't just enable it blindly and expect it to protect your
system.  There are many paths to better security...

> So yes, there's this pretty good tool if you stumble upon it, but how
> can you have a tool that's so invasive without accessible documentation?

A buddy of mine's father worked on SELINUX for the NSA.  He gave a
presentation on it a few years back.  I checked it out.  Maybe I'm
naive, but I haven't been able to put it to great use.  Sure, you can
try to enable it and convince yourself about security, but you really
need to know details about the internals to make it work for you.  And
anyways, there are many browser exploits these days and I don't think
SELINUX is going to protect someone from stealing your GPG keys once
they pwn yer browser from client side...
-- 
Kristian Hermansen

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the Discuss mailing list