[Novalug] October Talk -- SELinux for your (grand)parents

James Ewing Cottrell 3rd JECottrell3@Comcast.NET
Tue Sep 28 19:19:04 EDT 2010


  On 9/28/2010 11:15 AM, Paul W. Frields wrote:
> On Mon, Sep 27, 2010 at 10:59:49AM -0500, Beartooth wrote:
>> On Mon, 27 Sep 2010, greg pryzby wrote:
>>
>>> There are quite a few new things in SELinux that I would like to
>>> share. The topic probably won't fill 2 hours, but I think everyone
>>> will find it interesting....
>>>
>>> Comments?
>>   	I picked up a note in a Fedora-list post some while back
>> to the effect that significantly many are just plain flat
>> disabling it -- on home machines only, iirc. You might want to
>> comment on what harm that does.
> Actually, the percentage of people disabling has dropped significantly
> since it was introduced.  (Most people disable because a Random Person
> on the Internet tells them so, although it's almost never necessary.)
> Our smolt statistics show about 56% have it enabled nowadays, and that
> probably includes a lot of older boxes.

First, let me say that the current versions of RHEL/Fedora/CentOS 
abstract and water down SELinux to the point where
the out-of-the-box version is almost invisible to most users. You only 
need to tweak a few settings if you run the services that are unsecure, 
such as FTP and NFS, maybe TFTP as well.

But what is smolt? Is that the software that mails off your 
configuration to somewhere right after installation? Given that you 
don't get the opportunity to actually manually disable SELinux, all your 
non-kickstart reports are going to mention it as being enabled.
> Almost no one needs to disable, and when you do so, if you re-enable
> it later you will have problems because of the disablement.  You can
> switch SELinux to 'permissive' mode to avoid these future problems,
> yet be able to run things unsafely.
By your logic later on, a relabelling ought to fix things.
> SELinux is basically a valet key for your services.  When you give
> your car to a valet you don't trust entirely, you give him a key that
> lets him drive to the parking space, but doesn't let him get into the
> glove compartment where your wife's diamonds are stored.
I should be so lucky to have such problems. And, I couldn't imagine a 
woman who wouldn't want to show them off.

Now "dead body in the trunk", that I can believe.
> (OK, most
> people wouldn't do that, but you get the picture.)  Similarly, when
> someone hits your web server, or your music share, etc., you don't
> want them to be able to exploit a security bug and get at documents
> they have no business redaing.  When you load a page in your browser
> you don't want the browser code to be able to fiddle with stuff
> outside its purview.
And how would a chroot for your browser NOT fix that? We use chroots for 
Servers, why not Clients too?

Or simply modify the kernel to let any process do a setuid(nobody).

Or better yet, treat Users like Networks. Each user gets a subuser mask, 
and can setuid any to any user within their
user network (as well as extend the subusermask). Log me in with a UID 
of 654.0, and allow me to setuid to 654.1 thru 654.255. Works for FM and 
TV stations.

User.0 can access anything within user.x, but not vice versa, nor can 
subusers setuid back. User ownership equivalance is tested for by anding 
the subusermask with the object owner and comparing it to the existing UID

When userspace is exhausted, we can create Userv6  :)

Oh, and By The Way, while SELinux CAN be user to keep your clients out 
of each other's hair, so far it's only used for Servers, not Clients? Or 
are you saying that's changing?

But seriously....look how easy it is to come up with Rational, even 
Beautiful Alternatives without pissing all over the filesystem.

> I have several systems in the house that are used by my family
> exclusively and they are all SELinux enabled.  I know from personal
> experience that it's rare to have any problems with SELinux, and on
> those rare occasions I find a relabeling fixes everything.
>
> This is a truly worthwhile technology, and personally I'd be leery of
> advice from someone who tells me to simply disable it for expediency's
> sake.
I would also be leery of random people on the Internet telling me I was 
Dangerously At Risk without the latest and greatest Security Technology.

JIM

P.S. You didn't answer My Big Question either, altho in fairness, it 
wasn't directed to you specifically. Do all vendors use The Same Labels 
on The Same Files? I want my Filesystems to be used by several different 
OS, possibly at the same time.





More information about the Novalug mailing list