On Tue, Apr 8, 2008 at 6:46 AM, Jim Kuzdrall <[EMAIL PROTECTED]> wrote: > Didn't he talk on SELinux here before?
Yup. On 20 July 2006. Notes: http://thread.gmane.org/gmane.org.user-groups.linux.gnhlug/6371 Slides: http://wiki.gnhlug.org/twiki2/pub/Www/PastEvents/Summit2006SELinux.odp > For this time, what about suggesting he concentrate his talk on > defining an optimum home-office system and the steps in setting it up. Well, from what I understand: SELinux is a big complicated beast, and setting it up from scratch isn't really something for mere mortals to attempt. (I looked at the SELinux config files. Once. *shudder*) So distribution builders -- in particular, Red Hat/Fedora -- have taken it upon themselves to do the dirty work for us. The result is something that's designed to help restrict services/daemons/etc to just the files they need, so that a security hole in them is limited in scope. So presently, SELinux is not typically used for access control with individual people -- the regular Unix permissions model suffices for that. Thus, one doesn't use SELinux in one's home directory (unless services are using files there). The issues with SELinux arise when one wants to integrate third-party (i.e., not included in the distro) software, or do something else the distro didn't foresee. So a lot of people (especially software authors) recommend just turning SELinux off as a matter of course. That's obviously sub-optimal from a security standpoint. Dan's goal is to instead teach us how to diagnose problems, and tweak the SELinux configuration to work. Of course, I could be way off. :) -- Ben _______________________________________________ gnhlug-org mailing list gnhlug-org@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-org/
