[TriLUG] Thoughts on SELinux - PIA or a good thing?

[Brian Cottingham]

SELinux is, in theory, great. When configured properly it can make a system
very secure and it offers pretty fine-grained controls.

However, I can't remember meeting anyone who leaves it enabled. When someone
has a problem with a fresh Fedora or RHEL/CentOS install one of the first
questions I usually see asked is "Have you disabled SELinux?".

It's quite tricky to configure SELinux correctly. For example, Fedora's
default SELinux config can get in the way of installing with an existing
home directory. You'd think Fedora would have that rather ordinary
installation option worked out.

If you're really serious about security on your servers, suffer through the
pain and learn to configure SELinux (permissive mode helps). My rule of
thumb is if I can't point to a feature of SELinux and say "I need that kind
of control!", avoid the pain of hard-to-debug issues and just disable it.

On the subject of iptables, it's only safe to disable it if you trust all
machines on your network. Servers that aren't protected from other machines
on the network are vulnerable to laptops that were infected at home or
Starbucks.

-Brian


On Tue, Mar 16, 2010 at 9:25 PM, Ron Kelley <rkelleyrtp at gmail.com> wrote:

> Generally speaking, what do most people think about SELinux?  A colleague
> is reviewing some security auditing procedures that highly recommend using
> SELinux (he is running on CentOS 5.4 servers).  If they enable SElinux, they
> will have to do an entire regression test phase due to the potential effects
> of SELinux on their application (Ruby on Rails front-ended by Nginx.
>
>
> Normally, I disable SELinux and IPTables on my servers because they are all
> behind firewalls (and I only open the necessary ports).
>
>
> What do you guys think?
>
> -Ron
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>