SELinux and Fedora

SELinux and Fedora

Posted Jul 10, 2008 13:36 UTC (Thu) by gdt (subscriber, #6284)
Parent article: SELinux and Fedora

I've followed SELinux from its earliest days. It has moved from a nightmare to a nice product which pops up windows whenever it block access. This is far superior to the Windows Vista approach of putting up a dialog box beforehand saying "allow me to malware your computer (y/n)?". In fact the nice GUI interfaces to SELinux make it much less of a hassle to run on a desktop than on a text-mode server.

As for the need for SELinux, it's the only technology I've seen that puts me well ahead of the "race to patch" in maintaining system security.

If I were to make a criticism of SELinux under Fedora it would be "where's the benefit for the desktop user"? There's obviously benefit for servers -- where processes are essentially sandboxed in the data they can access. But the rules for desktops are deficient. As a trivial example why can I execute files from ~/Pictures/* -- aren't all of those files meant to be images? Why can The Gimp read files from ~/bin -- aren't all those files meant to be executables?

Sure these sort of policies mean that users need to follow a centralised dictat of what goes where, but such a dictat is also the thing which prevents a subverted Firefox from reading and writing the files in ~/Documents (and thus having malware encrypt my documents and hold them hostage).

---

(Log in to post comments)

http://fedoraproject.org/wiki/SELinux/FAQ has more details on where it benefits desktop users.
Specifically important desktop software with a long history of being prone to vulnerabilities
such as a web browser is covered by SELinux policy in Fedora.