FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-16-2008, 07:03 PM
"Daniel P. Berrange"
 
Default SELinux removed from desktop cd spin?

On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> Hi,
> I believe that SELinux is a great linux server security hardening tool
> but that has little use in desktop linux usage and it confuses
> ordinary desktop users.

It is of great use in a desktop spin. On my 'desktop' install for my
laptop I have many many system daemons running under a confined domain

auditd
console-kit-daemon
crond
cupsd
dbus-daemon
hald
init
libvirtd
NetworkManager
rklogd
rpcbind
rpc.statd
rsyslogd
/sbin/dhclient
/sbin/mingetty
/sbin/udevd
/usr/bin/nm-vpnc-service
/usr/sbin/acpid
/usr/sbin/dnsmasq
/usr/sbin/gdm-binary
/usr/sbin/hcid
/usr/sbin/smartd
/usr/sbin/sshd
/usr/sbin/wpa_supplicant


> If it hasn't been discussed before I would like to propose that on
> desktop cd spin SELinux is not installed by default, of course after
> discussion and approval from you (fedora devels).

No. SELinux provides very real & important protection for desktop users.

Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:12 PM
"Jakub 'Livio' Rusinek"
 
Default SELinux removed from desktop cd spin?

2008/1/16, Daniel P. Berrange <berrange@redhat.com>:
On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> Hi,
> I believe that SELinux is a great linux server security hardening tool
> but that has little use in desktop linux usage and it confuses

> ordinary desktop users.

It is of great use in a desktop spin. On my 'desktop' install for my
laptop I have many many system daemons running under a confined domain

auditd
console-kit-daemon

crond
cupsd
dbus-daemon
hald
init
libvirtd
NetworkManager
rklogd
rpcbind
rpc.statd
rsyslogd
/sbin/dhclient
/sbin/mingetty
/sbin/udevd
/usr/bin/nm-vpnc-service
/usr/sbin/acpid

/usr/sbin/dnsmasq
/usr/sbin/gdm-binary
/usr/sbin/hcid
/usr/sbin/smartd
/usr/sbin/sshd
/usr/sbin/wpa_supplicant


> If it hasn't been discussed before I would like to propose that on
> desktop cd spin SELinux is not installed by default, of course after

> discussion and approval from you (fedora devels).

No. SELinux provides very real & important protection for desktop users.

Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston.**+1 978 392 2496 -=|

|=-********** Perl modules: http://search.cpan.org/~danberr/**************-=|
|=-************** Projects: http://freshmeat.net/~danielpb/
************** -=|
|=-**GnuPG: 7D3B9505** F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505**-=|

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list

Yes, it protect internet connection from being shared, protects system from drivers, needed for some hardware and protects system from everything useful.


It's question of policy, but SELinux on LiveCD maked me stupid in my brother's eyes.
I wanted to show him internet connection sharing via superb user friendly tool, which appeared in F8, but SELinux blocked my changed... Nice.

--
Jakub 'Livio' Rusinek
http://liviopl.jogger.pl/
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:17 PM
nodata
 
Default SELinux removed from desktop cd spin?

Am Mittwoch, den 16.01.2008, 20:57 +0100 schrieb Valent Turkovic:
> Hi,
> I believe that SELinux is a great linux server security hardening tool
> but that has little use in desktop linux usage and it confuses
> ordinary desktop users.
> If it hasn't been discussed before I would like to propose that on
> desktop cd spin SELinux is not installed by default, of course after
> discussion and approval from you (fedora devels).
>

-2

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:18 PM
nodata
 
Default SELinux removed from desktop cd spin?

Am Mittwoch, den 16.01.2008, 21:12 +0100 schrieb Jakub 'Livio' Rusinek:
> It's question of policy, but SELinux on LiveCD maked me stupid in my
> brother's eyes.
> I wanted to show him internet connection sharing via superb user
> friendly tool, which appeared in F8, but SELinux blocked my changed...
> Nice.

bz#?

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:19 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 9:03 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
> On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > Hi,
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
>
> It is of great use in a desktop spin. On my 'desktop' install for my
> laptop I have many many system daemons running under a confined domain

You, of course, will always have the ability to choose to install it
and use it.

> > If it hasn't been discussed before I would like to propose that on
> > desktop cd spin SELinux is not installed by default, of course after
> > discussion and approval from you (fedora devels).
>
> No. SELinux provides very real & important protection for desktop users.

Can you give me examples of this protection over fedora 9 without
SELInux or with SELinux in permissive mode?

I'm a desktop user and I personally don't see any benefit. It actually
prevented me in using multimedia on fedora 8 desktop (I filed a bug).
I believe it is more of a nuisance (constant alerts) for average
desktop users. Advanced users always have an option to install and use
SELinux if they need it.

Cheers,
Valent.
--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:20 PM
Stephen Smalley
 
Default SELinux removed from desktop cd spin?

On Wed, 2008-01-16 at 20:03 +0000, Daniel P. Berrange wrote:
> On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > Hi,
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
>
> It is of great use in a desktop spin. On my 'desktop' install for my
> laptop I have many many system daemons running under a confined domain

Also, note that XACE/XSELinux has been merged to the trunk of xorg, so
the ability of SELinux to confine desktop applications in interesting
ways is only going to increase over time...

>
> auditd
> console-kit-daemon
> crond
> cupsd
> dbus-daemon
> hald
> init
> libvirtd
> NetworkManager
> rklogd
> rpcbind
> rpc.statd
> rsyslogd
> /sbin/dhclient
> /sbin/mingetty
> /sbin/udevd
> /usr/bin/nm-vpnc-service
> /usr/sbin/acpid
> /usr/sbin/dnsmasq
> /usr/sbin/gdm-binary
> /usr/sbin/hcid
> /usr/sbin/smartd
> /usr/sbin/sshd
> /usr/sbin/wpa_supplicant
>
>
> > If it hasn't been discussed before I would like to propose that on
> > desktop cd spin SELinux is not installed by default, of course after
> > discussion and approval from you (fedora devels).
>
> No. SELinux provides very real & important protection for desktop users.
>
> Dan.
> --
> |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
> |=- Perl modules: http://search.cpan.org/~danberr/ -=|
> |=- Projects: http://freshmeat.net/~danielpb/ -=|
> |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
>
--
Stephen Smalley
National Security Agency

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:21 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 9:17 PM, nodata <lsof@nodata.co.uk> wrote:
>
> Am Mittwoch, den 16.01.2008, 20:57 +0100 schrieb Valent Turkovic:
> > Hi,
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
> > If it hasn't been discussed before I would like to propose that on
> > desktop cd spin SELinux is not installed by default, of course after
> > discussion and approval from you (fedora devels).
> >
>
> -2

-19

explain.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:25 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 9:18 PM, nodata <lsof@nodata.co.uk> wrote:
> Am Mittwoch, den 16.01.2008, 21:12 +0100 schrieb Jakub 'Livio' Rusinek:
> > It's question of policy, but SELinux on LiveCD maked me stupid in my
> > brother's eyes.
> > I wanted to show him internet connection sharing via superb user
> > friendly tool, which appeared in F8, but SELinux blocked my changed...
> > Nice.
>
> bz#?
>

mine is:
https://bugzilla.redhat.com/show_bug.cgi?id=355291


--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:25 PM
"Daniel P. Berrange"
 
Default SELinux removed from desktop cd spin?

On Wed, Jan 16, 2008 at 09:19:38PM +0100, Valent Turkovic wrote:
> On Jan 16, 2008 9:03 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
> > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > > Hi,
> > > I believe that SELinux is a great linux server security hardening tool
> > > but that has little use in desktop linux usage and it confuses
> > > ordinary desktop users.
> >
> > It is of great use in a desktop spin. On my 'desktop' install for my
> > laptop I have many many system daemons running under a confined domain
>
> You, of course, will always have the ability to choose to install it
> and use it.
>
> > > If it hasn't been discussed before I would like to propose that on
> > > desktop cd spin SELinux is not installed by default, of course after
> > > discussion and approval from you (fedora devels).
> >
> > No. SELinux provides very real & important protection for desktop users.
>
> Can you give me examples of this protection over fedora 9 without
> SELInux or with SELinux in permissive mode?

Yes. SELinux mitigated against the recent HPLIP security flaw which
would have allowed arbitrary code execution as root.

http://james-morris.livejournal.com/25140.html
https://rhn.redhat.com/errata/RHSA-2007-0960.html

There have been other similar scenarios where security flaws have been
prevented, or their damage mitigated by presence of SELinux

Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 07:30 PM
"Jakub 'Livio' Rusinek"
 
Default SELinux removed from desktop cd spin?

2008/1/16, nodata <lsof@nodata.co.uk>:
Am Mittwoch, den 16.01.2008, 21:12 +0100 schrieb Jakub 'Livio' Rusinek:
> It's question of policy, but SELinux on LiveCD maked me stupid in my
> brother's eyes.
> I wanted to show him internet connection sharing via superb user

> friendly tool, which appeared in F8, but SELinux blocked my changed...
> Nice.

bz#?

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list

I would file bug not, because it was only LiveCD-test.


On desktop I'm always disabling SELinux. Just like that.
--
Jakub 'Livio' Rusinek
http://liviopl.jogger.pl/
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 04:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org