What do people think about SELINUX? pros and cons
Rahul
intuitive sense. But I've never really gotten the hang of "SELINUX" and I
was just wondering if it was just me or do other people share the
feeling?
I tried googling up the stuff several times but it just feels way too
complicated for me. Permissions (perhaps more granular permissions as in
AFS) work well for me and I never perceived a need for "contexts". Do
people use them a lot? Perhaps its just because I'm on a "toy-system" and
the critical production servers use it? Or not?
Or is it just that the implementation is so difficult that people are
tempted to "setenforce 0".
Is SELINUX more pushed by a particular distro (I'm on RHEL)? How big is
the downside to turning SELINUX off (as I have! ) A serious security
blunder? Or not?
Just trying to develop a taste for SELINUX....but has been hard so far!
--
Rahul
1PW
> Usually most things in Linux are very structured and make a lot of
> intuitive sense. But I've never really gotten the hang of "SELINUX" and I
> was just wondering if it was just me or do other people share the
> feeling?
I believe the learning curve /is/ steep for SELinux...
>
> I tried googling up the stuff several times but it just feels way too
> complicated for me. Permissions (perhaps more granular permissions as in
> AFS) work well for me and I never perceived a need for "contexts". Do
> people use them a lot? Perhaps its just because I'm on a "toy-system" and
> the critical production servers use it? Or not?
>
> Or is it just that the implementation is so difficult that people are
> tempted to "setenforce 0".
>
> Is SELINUX more pushed by a particular distro (I'm on RHEL)?
Have you googled?
How big is
> the downside to turning SELINUX off (as I have! ) A serious security
> blunder? Or not?
How important is security with your system in mind?
>
> Just trying to develop a taste for SELINUX....but has been hard so far!
>
Hello to All:
I suppose I'm a product of my environment so when I saw the early talk
about SELinux being introduced into RHEL, I looked forward to it.
In a previous life, I worked for an employer that spent lots of U.S.
tax dollars. During my tenure, we saw quite a varied assortment of
Internet based attacks that even crippled our systems. So even if a
potential attacker were to gain access to our RHEL boxes, I was hopeful
that SELinux, and other hardening actions, would limit or protect us
from damage.
I run SELinux “enforcing” and “targeted” and I'm considering going
from “targeted” to “strict” as a test.
One of the applications I've seen trouble with is “Google Earth”. Even
then, I wrote a script to correct eleven SELinux reported errors I see
when I've upgraded “Google Earth”. The other is clamav, but I've seen
none lately.
Two other products, from the NSA, are publications released to the
public that deal with the hardening of RHEL 5:
A blurb on SELinux here:
<http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.PDF>
Four pages of SELinux enlightenment here:
<http://www.nsa.gov/snac/os/redhat/rhel5-pamphlet-i731.pdf>
Not all system administrators can implement everything in the above
publications. However, much is very helpful.
I realize that SELinux tries to help keep users and their applications
from violating security policies within the OS. We also know that
poorly written applications can cause SELinux to make things difficult
for administrators and users. But, SELinux can also help keep hackers
from doing damage and accessing files.
If you've recently updated RHEL from 5.1 to 5.2, then the new SELinux
policy files might make life easier. (or not)
My $0.02USD.
My best to all.
--
1PW
@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
Bit Twister
>
> How exactly does it do that in a way that ordinary
> permissions or security on "vanila" linux don't?
Some light reading found here
http://fedoraproject.org/wiki/SELinux
1PW
> On Wed, 02 Jul 2008 01:51:38 -0700, 1PW <barcrnah...@nby.pbz> wrote:
>
>> But, SELinux can also help keep hackers
>>from doing damage and accessing files.
>
>
> Tony
>
>
Hello Tony:
I believe that in any group of computer users, the meaning of security
has different definitions. However, the policy enforcements and the
reporting are certainly the strong issues for me. Permissions are a
wonderful idea and coupling that with reporting has allowed me to see
that a few applications would benefit from security enhancements.
Others can state it with much more eloquence:
<http://searchenterpriselinux.techtarget.com/news/column/0,294698,sid39_gci1253747,00.html>
To the overburdened system administrator that disables SELinux at the
first sign of trouble, I understand. Promise yourself to come back
and seek a solution soon after. If one has it on their system, and
not turned on, I'd encourage them to try it. Even if it means
changing to 'Permissive' mode. Pursue the alerts as time permits.
Recently, I gamma tested a Linux based administrative application, that
when executed, caused several thousand SELinux alerts before
completion. I contacted the author, and now hopefully the issue is
being be looked at. That application has a wonderful premise but
hadn't been tested on many platforms.
I use SELinux on our household, cable based ISP, system. I see between
200 & 300 probes at my ports per day. Yes - I do rely on my firewall
rules for protection. Yes, the probes are mostly looking for Windows
vulnerabilities. Am I using anti-virus protection too? Yes. Will my
luck run out one day? Perhaps. That's when I hope my numerous
hardening measures will foil intrusion.
As long as I see ongoing improvements (2 updates by the NSA this year),
I'm going to try and benefit through SELinux.
How say you?