why would i want to keep SELinux enabled?

[sirbrett]

as far as i can tell its mostly for protection when running servers, i use FC3 as a desktop machine, i dont have any servers, is there any reason why i want to keep SELinux enabled? even if i was running a server how does it protect me?
-brett

[w5set]

couldn't answer that question for you, all it does is add additional constraints on top of the acl and prevents just about anything from reading and writing to important files/directories if not stated in the "policy".
It can be a real PITA sometimes when applying a new policy to existing "changed from default" settings on servers and users too.
Personal preferences there--some run it and feel more secure--some turn it off and still feel secure enough.
Some are dazed and confused (mainly me it seems) about the whole thing--but I run it anyway just to try and keep up with the currant developements.

[SlowJet]

Running FC3 as a Desktop with one user would be the minimum diffinition of a computer.
Since most of the Core programs, sevices, and Kernal are coding to work with each other, they already behave as intended and SELinux is just a good neighbor fence between the processes, objects, users and files.

The retriction of any these (processes, objects, users and files ) is because they should not be interacting according to the SELINux policy to do their function. When they are intereacting then something is wrong, a bad change has been made, or the system is screwed up.

SELinux does not restrict any of these from doing what it is supposed to do.

The main problems from SELinux is in two areas.

One, a new program outside the core is installed and is trying to crss the SElinux policy boundies. This new program can not be determined to be good, bad, or ugly until someone identifies what it is doing differently(as in upgrading MySQL or Apache) or why it needs to access other processes (as in installing SNORT or FireSTARTER).

Linux is a server OS and runs secives wheater you are a Desktop user or a multi-purpose sever.
A program is a prgram and code is code. It all about what they do and why they do it. SeLinux is defined to ask, Should they do it, do I want them to do it (even if they can).

Yes, on a FC3 Desktop with nothing but Core program you could probable turn off SElinux.
On the other hand ther is not reason to do so as it would not interferr with anything except your human tendency to make big boo-boos froim time to time.

If yo are getting SELinux blocks, then you are crossing boundaries that you probably should not be crossing or you are going to a new (program, sevice, configuation) outside of the Core and the "Good, Bad, or Ugly' must be defined in SEWLinux Policy.

There is not all that many parts in SELinux for a Desktop configuration so your problem is mute and minumum concern.

Leave it on, turn is off. It just you and you office Applications.

But runing the more advanced services with different users and with add-on processes that are unknow acess wise makes the System and processes a setting duck for abnoral termination.

SJ

[Vinneh]

On a desktop system, SELinux will amount to nothing more than an annoyance.

[SlowJet]

Vinneh,

SELinux would be invisable on a Desktop.
As stated above, you may be annoying SELinux.
Give an example of what SELinux would block on an FC3 desktop install.

SJ

[Vinneh]

Quote:

Originally Posted by SlowJet

Vinneh,

SELinux would be invisable on a Desktop.
As stated above, you may be annoying SELinux.
Give an example of what SELinux would block on an FC3 desktop install.

SJ

Try installing nvidia drivers lately?
SELinux doesn't let you install new modules.
You have to turn off SELinux to install accelerated 3D nvidia drivers.

That's been my only run-in with it, but it was enough to annoy me.
Also, I've heard talk of a performance hit when running SElinux as opposed to turning it off.

[gavinw6662]

Quote:

Originally Posted by Vinneh

On a desktop system, SELinux will amount to nothing more than an annoyance.

agreed -- it has huge benefits on a server, but not for a desktop system.

[sirbrett]

mmmm sounds like im goin to turn it off, i want that performance boost thanks for all the info!

[AndyGreen]

I don't think you'll see any noticeable performance boost at all from turning it off. How often does poor performance bother you anyway? On these multi GHz machines we are still largely doing the same tasks we did on 50MHz 486s quite well.

In certain circumstances SELinux gets in the way bigtime, but considering what it does it actually keeps out of the way quite well.

In certain circumstances SELinux will save you from getting hacked. Some people aren't too bothered by the idea of getting hacked, since they reinstall every time they sneeze anyway, don't value much on their machine, and don't think too hard about what their internet connection might get used for while somebody else is controlling it. Other people getting hacked is their worst nightmare. So your attitude to SELinux will depend on where you are with that.