[Tfug] in.tftpd denied
Brian Murphy
murphy+tfug at email.arizona.edu
Tue Oct 3 02:53:37 MST 2006
Quoting evorrie at comcast.net:
> Thanks, disabling SELinux worked.
>
> From a security point of view, how important is running SELinux
> compared to having it disabled?
The best answer is also the least helpful..."it depends."
Security works best when applied in layers.
SELinux basically protects you from unknown flaws.[1] These flaws can
be either software bugs or configuration errors. There isn't much
config to a tftp server so we're more concerned about buffer overflows
and the like. But you also have to account for all of the other
software on your box to see what else SELinux could have protected
against...thus the original "it depends" answer. Fedora ships with a
tool called system-config-securitylevel that can enable/disable SELinux
policy on specific daemons.[2]
I think that a few "low hanging fruit" best practices like keeping your
software updates current and uninstalling software that you don't
require will keep you safe enough to sleep well at night without
SELinux policy restrictions enabled.
Brian
[1] http://www.nsa.gov/selinux/info/faq.cfm
[2]
http://fedora.redhat.com/docs/selinux-faq-fc5/#qa-using-s-c-securitylevel
The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.
More information about the tfug
mailing list