Preston Crawford
2007-May-03 05:27 UTC
[CentOS] Running SELinux necessary for the average user?
I'm wondering because it seems to be slowing my machine down considerably under CentOS 5. Especially the daemon they include to monitor SELinux and the program that attaches to it. I tried opening this earlier and it just sat there spinning. I want the knowledge that my machine is secure and safe. But I'm wondering if the price is worth it. Is it necessary for my machine to be fairly secure? Preston
"Preston Crawford" <me at prestoncrawford.com> wrote:>>Is it necessary for my machine to be fairly secure? << No, as long as you take all the usual precautions: * Removing - or at least not running - unnecessary services * Keeping the system patched up-to-date (easy with yum, etc.) * Choosing strong passwords - or not using passwords for login across the Internet at all; generate an OpenSSH RSA 1024-bit key and use that instead * Never use protocols that transmit passwords in plaintext across the Internet (telnet, POP/IMAP without SSL, etc.) * Never logging in as root, but only using su to become root when necessary, for as short a time as necessary * Adding some firewall rules to (e.g.) rate-limit SSH connections to block brute-force password-guessing attacks * Use Postfix rather than Sendmail (though Sendmail has stood the test of time. by now) These are the major "good practices" required, though some people will doubtless suggest others (and probably quibble with some of the above ;) ). There have been Linux servers and workstations sitting on the Internet for many years without SELinux support, demonstrating it's not necessary. SELinux is a Thing of Beauty and a Joy Forever; I've used it myself for specialised situations, but people can - and do - run securely for years without it. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
Daniel de Kok
2007-May-03 07:22 UTC
[CentOS] Running SELinux necessary for the average user?
On Wed, 2007-05-02 at 22:27 -0700, Preston Crawford wrote:> I'm wondering because it seems to be slowing my machine down considerably > under CentOS 5. Especially the daemon they include to monitor SELinux and > the program that attaches to it. I tried opening this earlier and it just > sat there spinning. > > I want the knowledge that my machine is secure and safe. But I'm wondering > if the price is worth it. Is it necessary for my machine to be fairly > secure?It's an extra layer of security. You can perfectly run a secure machine without SELinux. Though it can help in the situation where some critical package is vurnerable, or even in some cases misconfiguration. Though, I'd look what is making this slow, rather than disabling it with a thought. If it is setroubleshootd and setroubleshoot that is slowing down the machine, consider turning off setroubleshootd. SELinux runs fine without, and in case a policy change is required, you can still use audit2allow. -- Daniel