[mythtv-users] Mythweb - PHP Fatal Error

Greg Woods greg at gregandeva.net
Thu Dec 26 17:21:23 UTC 2013


On Mon, 2013-12-23 at 21:21 -0500, Stephen P. Villano wrote:

> > From what I remember, SELinux was invented by NSA to improve the level
> > of security by making it more granular that standard Unix.

Mostly, yes. It was intended to provide a framework for precisely
defining what a given program should be allowed to do (and thereby
preventing it from doing things that it has no business doing), usually
programs that had to run as root. In those days, buffer overflows
against root daemons (such as named) was the most common way of breaking
into systems. Overflow a buffer on the stack, and cause the daemon to
exec a root shell. Selinux prevents that by not granting named
permissions it does not need to do its job (such as the ability to exec
a new program).

I don't know that Selinux really requires a PhD to write policies :-)
But it does require more knowledge and more work than the average
sysadmin has time for. And I have always questioned the idea of having
it turned on by default. It can be useful in an environment where
security is critically important on servers that are directly exposed to
bad guys, but for a home desktop behind a firewall, it's overkill, and
it makes it very difficult to run anything that isn't part of the
standard distribution (or to use anything that *is* part of the standard
distribution in a way that is perfectly valid but was not anticipated by
the developers). So I almost always turn it off as the first thing I do
after a new install, but I forgot this time and caused myself (and
others who were trying to help me) to waste a bunch of time.

If someone is running a Red Hat-derived distro and they are reporting a
mysterious problem, instead of asking them if they've tried turning it
off and back on again, Roy should ask instead if they are running
Selinux :-)

--Greg




More information about the mythtv-users mailing list