Selinux

[Mark Haney]

Ray Parrish wrote:
> Hello,
>
> I get the following error message when starting System Monitor -
>
> ** (gnome-system-monitor:9044): WARNING **: SELinux was found but is not 
> enabled.
>
> I've researched SELinux, and found that it is a Security enhancement for 
> Linux. I used Synaptic Package manager, and it appears that only the lib 
> files for this is installed, not the main package itself.
>
> Should I be concerned?
>
> Thanks, Ray Parrish
>
>   
Honestly, no. The SELinux packages are very good for systems that 
require much more granular security settings.  Web servers, application 
servers, file servers, anything where multiple people access the server 
for any number of reasons.  This lets you set very specific settings on 
per-file/per-user/per-almost anything basis.

A basic desktop system at home probably doesn't need it, but the base 
SELiux settings are permissive enough to let things run without any 
trouble (usually) and let you audit the system periodically for any 
misconfigured settings. 

Personally, I don't run it on my normal desktop system, but I do on my 
webservers, proxy server and mail server just to keep an eye on things, 
even though they are very low traffic.  Even those systems get ssh 
sniffed a half dozen times a day or so, so it's good to keep a lookout. 
I also run samhain for file integrity checking, but that's a whole other 
can of worms.

As it is, installing and running SELinux in permissive mode probably 
won't hurt anything. although you may find certain apps won't function 
out of the box if SELinux doesn't have a correct config for them.  It 
happens much less often now, so I don't see that as a problem.

As for what Karl says, don't listen to him, he knows so little about 
security it's really kinda frightening.


-- 
Mark Haney
mhaney at ercbroadband.org
Fedora release 9 (Sulphur)
 Kernel: 2.6.25.10-86.fc9.i686 GNU/Linux

 16:31:50 up 3 days,  6:20,  2 users,  load average: 0.96, 0.77, 0.85