4

I've got two Fedora laptops and a CentoOS home server, but I'm the only person who uses any of them, with the exception of a smb share that a family member uses. Does SELinux have any real benefit if there aren't any other regular users on my my machines? Is there a good reason to not just keep it turned off?

Kefka
  • 1,536
  • 2
  • 17
  • 32

3 Answers3

9

Selinux is for enforcing process types. This is not the same as user isolation.

For a really simple guide to understanding SELinux, take a look at the SELinux coloring book (yes it really is a coloring book).

https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

For a workstation, SELinux isn't as important as on a server. However it would prevent a rogue process from accessing other processes.

http://stopdisablingselinux.com

spuder
  • 10,135
4

If you have your user and group rights setup properly, you should not be concerned about other regular users.

SELinux is meant to protect you from the irregularities, i.e. someone taking advantage of program or configuration faults to make your computer do something that is not in your interest. This could be using networking daemons running on your computer, your browser or some software you downloaded and executed. Even plugging in some devices like malicious USB sticks could be dangerous.

Of course SELinux has to be setup properly to protect your computer. If it isn't, you may as well turn it off.

Mathias Weidner
  • 186
4

Yes.

SELinux is designed to sandbox apps so they can only perform specific approved functions. for instance, if a site tricked your browser into downloading and installing a RASKit, SELinux would (assuming your profile is correctly defined) prevent the RASKit from being installed.

In addition to applications that receive remote input like browsers, SELinux (once again, when properly used) will also protect against rogue apps, masquerading as trusted ones. If your distros repositories are comprimised for instance, and tricked into pushing down bad versions of updates to your applications, SELinux should prevent them from taking actions that the legitimate version was not allowed to take.

Mandatory Access Control isn't so much about users, as it is about applications, and SELinux or AppArmor are designed to prevent these applications from exceeding their expected levels of privilege. This is especially import for applications you run as root.

Frank Thomas
  • 37,476