"Bill Horne" wrote in message
. ..
xpyttl wrote:

I disagree: any Linux distro can be made secure, and just because Redhat
has chosen "secure" defaults in Fedora doesn't mean that other distros
can't be set for security.

I think you miss the point. Fedora/Red Hat have chosen to use a new
security model called SELinux that is far more secure than the old Linux UID
based model, but a LOT harder to make work without really getting in the
way. Most of the other distros have this model available, but getting it
configured so it isn't a major PITA is a pretty big deal.

The system is a lot more granular than the legacy system, which means, among
other things, that an attacker gaining root privileges still has very
limited access to the system. With the old system, any sort of privilege
escalation and its game over. That granularity means that there are a lot
more things to twiddle, and a lot of thinking about what gets in the way and
what doesn't.

Fedora bit the bullet back in FC3 (seems like ages ago), and finally by FC6
it had reached the point where it could be fully turned on and not be
constantly getting in the way.

The thing about SELinux is that the compromise between useability and
effectiveness isn't quite as stark as it is with the old UID system. You
can have the system configured to be quite restrictive, and never notice
that those restrictions are there. Getting all the policies set that way is
no small project, however.

Of course you could turn it on with Ubuntu, but you would spend months, if
not years, getting it configured so it actually provided protection while
not raising it's ugly head every time you tried to do something. Red Hat
has spent three or four years sorting out all those settings, and the
default settings for Fedora are now pretty good.

...