[Novalug] Selinux: to disable or not

Peter Larsen plarsen@famlarsen.homelinux.com
Thu Mar 15 02:32:21 EDT 2012


On Wed, 2012-03-14 at 17:00 -0400, Jay Hart wrote: 
> Peter,
> 
> What I would like to know is what actually happens on your system when you
> take selinux from "disabled" to "permissive" or "enabled"?  Can you kind of
> explain the process of "relabeling"?

Relabling deals with one part of SELinux which is file-context. Once you
disable selinux, when you create new files they don't automatically get
the correct context based on the policies you're running (or you may
have altered the policy too). So when you go from a "disabled" to an
"enabled", we need to ensure that all files are marked to the correct
context to all files. Re-labeling simply runs through every fcontext
policy and applies them to the file system. If you have a LOT of files,
this can take a very very very long time. For little home systems it's
negligent (grab a cup of coffee time).

Once selinux is loaded and running, as you add/change files on the file
system, the fcontext is updated live - you don't even realize it's going
on. All based on the fcontext policies.

To see all your current fcontext policies run: semanage fcontext -l

SELinux has other areas (do a man on semanage to get a full overview)
but only the file context is this complex. SELinux stores the fcontext
in extended attributes which is checked as part of the normal file
attribute checks that's done whenever you access a file.

What confuses people is that the error message never says "you cannot do
this because of SELinux". What I think people forget is that, you get
the same message if your chmod or fattrs are set wrong too. We cannot
tell the user WHAT security we have in place - it's part of the security
model. The good news is that for selinux we have the audit log, which
tells us everything we need to know. And sealert now allows us to look
up individual issues and see what happened, and even suggested solutions
including the commands to rung, to fix it.

Additional utilities like "audit2allow" can be used to process a days
worth of issues and generate policy files for you.  Like with everything
security, you should do this with some caution and think about what
you're about to allow. 

> 
> Jay
> 
> > On Mon, 2012-03-12 at 09:35 +0000, jecottrell3@comcast.net wrote:
> >> Methinks you are a tad optimistic. I think Very Few people actually take the
> >> time to understand it.
> >
> > Methinks not ;)  At least not with the system administrators I talk to.
> > SELinux has more than 10 years behind it now. It is and should be part
> > of any server installation you use; and with Fedora I'm even having no
> > problems running desktop things with SELinux enabled too. I cannot speak
> > to Ubuntu or Arch - personally I think it would be a big mistake by not
> > including nor enabling SELinux in any distribution these days.
> >
> >> However...I have progressed to the point of running it in Permissive mode
> >> rather than Disabled.
> >
> > Then why have it at all? This is like declaring, that you're using file
> > security settings, but you always login as root to turn them off in
> > runtime mode?
> >
> > The whole point of SELinux is to stop unplanned/uknown features to be
> > utilized on your system - not to allow backdoors to be installed that
> > could compromise your system.
> >
> > Personally I'm getting a bit tired of the argument that this "new thing"
> > isn't needed. There's good reason that the DoD requires it, and quite
> > frankly every large installation of Linux that I know of, requires it
> > too. Just as they require firewalls, file based security and other
> > security features we almost take for granted with Linux these days.
> >
> > Basic SELinux is not that hard to learn. We've got plenty of tools that
> > makes basic trouble-shooting a breeze.
> >
> > --
> > Best Regards
> >   Peter Larsen
> >
> 


-- 
Best Regards
  Peter Larsen

Wise words of the day:
The documentation is in Japanese.  Good luck.
	-- Rich $alz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20120315/3c8119e1/attachment.asc>


More information about the Novalug mailing list