[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Selinux on a Squeeze Desktop

--- On Sun, 3/13/11, Josep M. Gasso <websurfer@navegants.com> wrote:

> I would like ask if someone have in his home a
> Desktop/Server machine
> what runs selinux, my Debian Squeeze machine is always on
> and is a
> mailserver too.

I run Fedora.  (And have since FC3.)  SELinux is installed by default.  It has problems.  Not many, but enough to be annoying and require "fixes.".  I keep it in "Permissive" mode on my home system, which means it logs security issues, but doesn't prevent them.  Uninstalling it is next to impossible, since everything on the system has SELinux as a dependency.    It (SELinux) is one of the reasons I'm switching to Debian.  At least with Debian, I have the OPTION not to install it.  I won't be.

> So, I would like if there is any desktop problems with
> selinux, and if
> speed is also affected.

The one problem that I've experienced with SELinux over several versions of Fedora is SELinux will prevent updating (upgrading in Debian-speak) a newly installed or upgraded (dist-upgrade in Debian) system.  However, if you disable or put SELinux in permissive, after the system update, it no longer has issues with additional updates.  It's a strange beast.

SELinux is fairly efficient.  I doubt that it would affect system performance all that much.  Although, I've never run any tests.  But to run it effectively, you need to be very knowlegeable in its use and configuration.  Installing and forgetting won't cut it.  Do the research.  Study the manuals.  Etc.

> Any advice will be appreciated, I plan install selinux in a
> few days.

I consider SELinux a waste on a "home" system.  SELinux is like suspenders:  If you have a good belt, you don't need the suspenders.  However, in a commercial/business, workstation/server set up, and you're the security guy, I would run it.  Even with the problems: better safe than sorry.  Or fired. ;-)

Before doing the "real" install, I suggest you use a "test" system first.  Like I said above:  SELinux is pervasive and unistalling, if it doesn't suit you, might be a problem, or impossible.  A dual boot is best, but a VM would be good enough, but not perfect, for an evaluation.

FYI:  I'm not an SELinux "expert."  I took one look at the "official" administrative manual, and said "No, thanks."  What would you expect from something that was developed by a insanely paranoid government agency? ;-)


Reply to: