[Novalug] October Talk -- SELinux for your (grand)parents

The Doctor drwho@virtadpt.net
Thu Sep 30 12:55:25 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/29/2010 06:35 PM, Peter Larsen wrote:

> In my next life I want to be a security officer and get paid to be
> paranoid and not have to argue why something is less secure :)

Even if you do get paid to be a security officer of some kind, you will
likely still have to argue why something is less secure and needs to be
fixed.

> That said, you're quite right. Just like with backups, we don't realize
> how important security is until it's too late. Or rather, we prefer not
> to use any resources on implementing it.

"We're too small for anyone to bother cracking us."
	--Famous last words

> The argument from simplification is what Microsoft took. By not making
> the user be concerned about security we ended up with a lot of bad worms

As well as people clicking the 'OK' button like woodpeckers without
bothering to read what they were permitting.

> your OS isn't enough anymore. You have multiple apps running under the
> same OS authentication that should NEVER be able to cross over. Hacking

Zero-Day^W^WAdobe, anyone?

> Disabling temporarily to get pass a "here and now" problem I don't think
> is a problem. Disabling SELinux for good is and shouldn't be considered
> at all. If setup right, you won't notice how beneficial SELinux is. You

To really make SELinux work for you (i.e. to configure it specifically)
takes planning (specific to the box and applications in question) and a
lot of playing around to make things work.  Note taking helps, as does
running it in Permissive mode and keeping a close eye on the logs.

Hardened Gentoo has done some good work in this area.

- -- 

The Doctor [412/724/301/703]

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: http://drwho.virtadpt.net/

Screaming right along at 9600 bps...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkykwP0ACgkQO9j/K4B7F8HpgwCgnC0ZGwxNw7hd9WXhD+XtUF+u
u8oAoKlPmQ9w4dLQRbEMX/6uOBNxqDBw
=VPSQ
-----END PGP SIGNATURE-----



More information about the Novalug mailing list