frumenti,
----- Original Message -----
> I am running into problems with SE Linux every day. I thought SE
> Linux has been incorporated into the kernel from 2.6 on. Why is there a
> seperate module requiring configuration?
Read up on SELinux. It isn't your grandfather's security module. It is quite complex. It has gotten a lot better from when it first started but it still needs a bit of tweaking when you try to run things it doesn't already have policies for which is may be quite a bit of stuff for some people. For people running servers with standard services, the default policies work most of the time and when they don't there are often selinux booleans that can be toggled for various situations.
Fedora had SELinux about two years before everyone else and Red Hat has basically be responsible for developing all of the tools surrounding it.
> I don't have a problem with SuSE or Ubuntu.
Does Ubuntu even use SELinux? Does SuSE? I'm not sure. I know that Novell originally sponsored AppArmor but then laid off its development team (unless I'm having a brain fart and have confused it with another company). I believe Ubuntu picked up the ball and is funding most of the AppArmor development / maintenance so I don't think they use SELinux at all.
If you compare AppArmor to SELinux you'll see they are quite different. SELinux might not be ideal for one or more of your use cases. You'll have to decide for yourself. You can always turn it off or put it in permissive mode. See the /etc/sysconfig/selinux file.
> I have read on some blogs that Linux had never been hacked but that
> must have been written befor Linux Foundation was hacked or maby not
> true at all.
There are been a number of remotely exploitable root attainable bugs over the years that have appeared in the mainline kernel... but in most of the cases SELinux if enabled thwarted them. We have been pretty lucky in that while there have been bugs in the kernel and as well as various libraries we really haven't had the mass infections that the Windows folks have. That is mainly due to Linux being less of a target (because Windows is king of the desktop) and distros fixing problems fairly quickly and users being awake at the wheel and installing distro updates in a timely fashion.
That isn't to say that there aren't nor haven't been Linux-based botnets because there have. Those are mostly due to script kiddie like exploits on known vulnerable PHP applications. Most of the time those don't get root but they still aren't very fun to clean up after.
What SELinux tries to do is limit each service with Mandatory Access Controls via a policy whereby if that service were to get exploited, the service would be limited in what it can do... by being limited to access to only those things the service is supposed to have access to.
Many people feel that SELinux is too complicated. Others think that there really isn't a way to make a competent security system easy. SELinux is a close of a compromise as possible... complete yet somewhat easy to use. SELinux definitely does take some time to learn and those who don't want to learn it should probably turn it off. Those that do take the time to learn it are often happy they did so. You'll have to decide which camp you fall into.
RHEL and Fedora do have a security guide (that I haven't looked at recently) that I think offer a pretty good SELinux primer. I can also recommend a few videos on SELinux if you are interested.
TYL,
--
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]
