On Mon, Aug 24, 2009 at 5:44 PM, Karanbir Singh<mail-li...@karan.org> wrote: > On 08/24/2009 05:33 PM, Yashpal Nagar wrote: >> >> So more precisely selinux is developed to enhance the Linux system >> security beyond the trival system access controls granted in the form >> of file permissions, privileges etc > > Yes and that is why Selinux will let you enforce userland app access levels > and context ( which is what the primary aim is to start with ).
I know that sounds great to fine tune the Linux servers to such limits. But I wonder where exactly this requirement can be felt on gateways, application servers, database servers - perhaps only in banking/financial domain to avert the internal/external security? There are so many Linux servers which are directly facing towards public network with specific ports open, do they necessarily use selinux now a days? I remember one time experience with selinux when it started filling up log files, when one of the program tried to access /home which it found unusual. > > this is exactly the sort of thing that selinux helps with, disallowing apps > from outside a specific context access to information that they should not > get. Eg. its not hard getting setup in a way that even plugins within > firefox are uable to access things that firefox itself is able to. > > Most people tend to shy away from selinux due to the, false, sense of > assumed complexity. So many people shy away probably because it (selinux) is not being used in /everyday/ use as other programs are such as iptable, ipchains etc may be. Regards, Yash _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/