 
| Subject: | |
| From: | |
| Reply To: | Alec T. Habig |
| Date: | Fri, 21 Oct 2011 08:33:41 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Nico Kadel-Garcia writes:
> Until it breaks something, unpredictably. For example, restoration of
> previously working software with "rsync" from another working system,
> or "tar" from backup tape, will not set SELinux.
The solution here is to tell selinux to please rebuild the file
permissions, as the next step after restore from tape, before trying to
do anything with the system:
restorecon -R -vv /restored/filesystem
(the verbose option is of course not necessary, just entertaining)
Is selinux worth it? There are a few extra steps, but I've been living
with it enabled on my systems for years and it's not too hateful. It
does use extra resources on I/O to verify things are ok, but most
systems aren't running so close to the perfomance edge that anyone
cares.
Does it help defend a system? That's a lot harder to quantify - which
is a true statement for any security measure. Why? Because they're
supposed to work in layers. If someone gets around one defense, the
next is supposed to be there to stop them. If it's not, you're screwed.
If they never make it to that next layer, you'll never know if that next
layer was ever worth it.
--
Alec Habig, University of Minnesota Duluth Physics Dept.
[log in to unmask]
http://neutrino.d.umn.edu/~habig/
|
|
|
