Maybe I'm daft, but I make every effort to enable SELinux whenever
possible.
If there's a piece of vendor software that disallows it's use (Such as
plesk) then I don't use it.
However, everything else I run, I enable SELinux as much as possible.
My linux web servers, dhcp servers, database server, etc, all run
SELinux. If the daemon simply doesn't support it, there'll be a boolean
to disable SELinux just for that daemon. (setsebool -P
somedaemon_disable_trans=1)
Yes, SELinux takes extra time to deploy, and if you don't want to learn
it, it's going to be a huge PITA to you at every turn unless you tweak
your kickstart config file appropriately. But I'm not perfect, and
AFAIK, nobody is, and therefore you cover your ass as much as possible.
I close down unused ports, firewall off other ports that shouldn't be
open to the world, etc - but I can't find every weak spot in the armor,
I can't anticipate some schmuck uploading something or some script
kiddie from exploiting some obscure problem - and that's where SELinux
might save my bacon.
I'm not looking to impress my bosses - they probably have no idea what
SELinux is, why it is important, why it makes things safer, at the
slight expense of the learning curve - I'm looking to avoid getting
paged at night when some server's ethernet interface pegs at a gigabit
because some script kiddie fired up an irc server, or having to mop up
after a spambot who got in through a web page mailer bug, and or
started serving up random content.
As a previous boss said, "I'm lazy, but Larry Wall lazy". I'm extremely
busy at work - but little bits learning here and there, and I'm a bit
happier as a result.
Adam
Jim wrote:
> Think it is a difference in objectives. With Selinux, it is damn near
> impossible to get it to work. In Blackhat, should someone actually get
> it to work, it is damn near impossible to break it!
>
> Shane R. Spencer wrote:
>
>> Really? The first thing they tell you in BlackHat classes is "Beware of
>> SELinux".
>>
>> Jim wrote:
>>
>>
>>> Hi Lee
>>> I never found it worth the effort. First thing they tell you in RedHat
>>> classes is
>>>
>>> "disable selinux"
>>>
>>>
>>>>
>>>>
>>>>
>>> ---------
>>> To unsubscribe, send email to <aklug-request@aklug.org>
>>> with 'unsubscribe' in the message body.
>>>
>>>
>>>
>>
>>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jun 2 20:56:43 2009
This archive was generated by hypermail 2.1.8 : Tue Jun 02 2009 - 20:56:43 AKDT