Hello, I have two questions. 1.How do I enable SElinux on my Linux mint 17 system? I just want simple default settings useful for an average user that mostly does web browsing.By the way I have tried google and found all of the information I looked at about enabling SElinux very confusing.I presume the following website is the main source of information on SElinx http://selinuxproject.org/page/Main_Page but I could not find how to enable SElinux from it.If this information is not on the website in a simple form my next question is 2.Why not? Please consider this question very carefully before answering. I am thinking many things to do with Linux are deliberately made confusing by saboteurs.Maybe I am completely wrong but as a Linux beginner that is a strong impression I am getting. regards Peter
On 13/09/15 23:57, Peter wrote:
Hello, I have two questions.
1.How do I enable SElinux on my Linux mint 17 system? I just want simple default settings useful for an average user that mostly does web browsing.By the way I have tried google and found all of the information I looked at about enabling SElinux very confusing.I presume the following website is the main source of information on SElinx
Change the file: /etc/selinux/config ..to read: selinux=enforcing http://forums.linuxmint.com/viewtopic.php?f=90&t=109916
but I could not find how to enable SElinux from it.If this information is not on the website in a simple form my next question is
2.Why not?
There are two main ways to approach systems: 1) Learn as you go along / by error 2) Start with "Best Practice" and face a steep leaning curve Method #1 means you don't solve problems until you encounter them. Most are benign but it means you can get blind-sided from time to time. #2 Means you are more secure out of the box but stuff will just not work. SE Linux is simple to set up and simple to blindly configure by using: sudo audit2allow -w -a ...every minute that something stops working. The problem here is that if you run audit2allow without actually checking and understanding what you are doing then you might as well not use SE Linux (since you probably will allow malicious activity through anyway). There is an alternate SE Linux setting that makes notices rather than enforces them so you can set up your SE Linux rules over time. There is no check box in Linus to "Apply Protection Y/N" because computer systems are complex technologies. I am not running SE Linux on this machine and on a server where it is installed we had a Wordpress vulnerability exploited. Those "saboteurs" you speak of are only the gaps in our knowledge in how to maintain our own systems. I would suggest that you run SE Linux in a VM on your desktop so that you can see what it blocks without having impeding your use of the base system. Once you have learned all about SE Linux then use it as part of your overall security system. P
Peter wrote:
1.How do I enable SElinux on my Linux mint 17 system? 2.Why not?
Mint appears to be based on Ubuntu... sometimes, & Ubuntu defaults to apparmor (not SELinux), so it might be better to go with apparmor. (Apparmor & SELinux do the same job, in slightly different way.) Specifically: on Ubuntu the default apparmor policy is probably more comprehensive and less buggy (than the default SELinux policy). Cf. in current stable Debian, the default SELinux policy was so broken it was removed from the release. I a beginner with both selinux & apparmor. When I wanted to patch the apparmor rules, I found it pretty straightforward. SELinux was less obvious. SELinux seems to be most popular, outside of the Ubuntu (and SuSE?) camps.
participants (3)
-
Peter -
Piers Rowan -
Trent W. Buck