[TriLUG] Thoughts on SELinux - PIA or a good thing?

Fri Mar 19 21:16:14 EDT 2010

I was curious to see where this thread would go.  :)  My general
opinion is somewhat akin to Brian's, that if you really need the
security provided SELinux there's not much else that does the job.
Unfortunately, the way most people manage linux systems is very much a
"by the seat of the pants" kind of thing.  I don't say that in a bad
way, I do it myself in most non-professional cases.  SELinux makes
that mode of operation ("enh, I think I'll install this and try it
out" or "I only have 20m to get this script to work to make the wife
happy before I have to get to work") very difficult.  The amusing
thing is that it's really those servers which get less careful
attention that would benefit the most from the Mandatory Access
Controls (MAC) SELinux provides.  Specifically, SELinux is what saves
you when you've configured Apache to only listen on port 80/443, only
talk to the database and read from a few local directories... and then
someone compromises that phpBB you setup for your sister[1] in 2003
but haven't even logged into in years.  Their script kiddie or worm
assumes the ability to download a perl script and login to IRC or just
write itself to the image directory or whatever, which the MAC denies,
and they go away quietly.  Sadly, it means you probably wouldn't have
had time to get that phpBB install working for your sister, because
the package manager *also* doesn't use SELinux, so there's no easy
profile for you to apply which states what it's binaries are supposed
to do (or what it might need to allow other binaries to do, such as
apache to talk to mysql).

Maybe some day SELinux will become main stream enough that these
problems will be solved by the package managers for us, in the same
way that virtually no one builds QT or X11 or even their kernel from
source any more.  I suspect it will be happen around the same time all
our DNS records are signed with DNSSEC and opportunistically encrypted
as they traverses the internet via IPv6.

Aaron S. Joyner

1 - The situation is entirely hypothetical.  I'm an only child.  :)

On Tue, Mar 16, 2010 at 9:25 PM, Ron Kelley <rkelleyrtp at gmail.com> wrote:
> Generally speaking, what do most people think about SELinux?  A colleague is reviewing some security auditing procedures that highly recommend using SELinux (he is running on CentOS 5.4 servers).  If they enable SElinux, they will have to do an entire regression test phase due to the potential effects of SELinux on their application (Ruby on Rails front-ended by Nginx.
>
>
> Normally, I disable SELinux and IPTables on my servers because they are all behind firewalls (and I only open the necessary ports).
>
>
> What do you guys think?
>
> -Ron
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>