[Novalug] Selinux: to disable or not

Peter Larsen plarsen@famlarsen.homelinux.com
Thu Mar 15 22:56:21 EDT 2012


On Thu, 2012-03-15 at 19:16 -0400, James Ewing Cottrell 3rd wrote: 
> On 3/14/2012 9:45 AM, Peter Larsen wrote:
> > On Mon, 2012-03-12 at 09:35 +0000, jecottrell3@comcast.net wrote:
> >> Methinks you are a tad optimistic. I think Very Few people actually take the time to understand it.
> > Methinks not ;)  At least not with the system administrators I talk to.
> Then we obviously run in different circles.

I guess so.

> > SELinux has more than 10 years behind it now. It is and should be part
> > of any server installation you use; and with Fedora I'm even having no
> > problems running desktop things with SELinux enabled too.
> It is getting better...less intrusive...I will give you that.

Well, it is intrusive. It's the whole point of locking things down. I
hear people complain because they didn't expect certain actions/features
to be blocked and not knowing that 1) it's SELinux, and 2) how to fix it
with SELinux will of course make you quite annoyed. Then we have those
who have heard of SELinux but refuse to learn it, so they simply disable
it and proclaim loudly it doesn't work .... ask them a question why,
they can't even explain the basic architecture taking away their whole
argument.

> > I cannot speak
> > to Ubuntu or Arch - personally I think it would be a big mistake by not
> > including nor enabling SELinux in any distribution these days.
> Include it sure...turning it on is another thing entirely.

Ok - so let me ask this - should we change the setting on Apache and
vsftp to bind to eth0 instead of lo ?  They are locked down by default
too - in other words, they come pretty much fully protected. They're
useless unless you do something. To me that's an important security
feature. It shouldn't be a choice if I want to have basic file based
security, password protected accounts etc. - we should install with a
workable and sensible level of security. We can then turn it up further
if needed (rarely would I expect it to go down from the default).

> >> However...I have progressed to the point of running it in Permissive mode rather than Disabled.
> > Then why have it at all?
> Yup. I can claim that I am "using" it, but it doesn't get in my way. And 
> if it starts squawking, I can look for trouble.

You're no more using it than logwatch is protecting your box. You seem
to treat it as a tripwire kind of thing. But tripwire is not going to
protect your box. Just know that you've been compromised. Granted,
that's better than NOT knowing - but you're still compromised. Let me
make this parallel - it's like claiming you're having safe sex, if you
take the condom and put it on table next to the bed. You've gone through
the "trouble" of purchasing it, preparing it etc. but in the end, it's
going to make no difference.

> >   This is like declaring, that you're using file
> > security settings, but you always login as root to turn them off in
> > runtime mode?
> Many production servers only have root, or generic users for web 
> servers. People ssh into them as root and the SAs have their public keys 
> in /root/.ssh/authorized keys. No user accounts on servers...not even SAs.

Those environments still scare me. I see no point in shared accounts -
in particular in shared root - that is just too scare a proposition to
me.

> > The whole point of SELinux is to stop unplanned/uknown features to be
> > utilized on your system - not to allow backdoors to be installed that
> > could compromise your system.
> This doesn't worry me. And besides...it's just another door to compromise.

Implemented right, and there is no door but a wall. The default setup
has a few cracks in it, but it's pretty solid for the targeted products
it covers out of the box. In other words, this isn't a matter of looking
for the right password.

> > Personally I'm getting a bit tired of the argument that this "new thing"
> > isn't needed.
> Well, clearly it is no longer new. But remember...people resist what 
> they don't like. Remember how many people kept running SunOS 4 instead 
> of switching to Solaris?

Sure - I also know a people who uses "password" as password, or even
clears the root password because they don't like the "extra typing".
That doesn't make it right - and it most certainly does not mean the
systems they run are very secure.

> > There's good reason that the DoD requires it, and quite
> > frankly every large installation of Linux that I know of, requires it
> > too.
> .GOV is seriously paranoid these days...way too restrictive...not a fun 
> environment to work in anymore.

Well, I rest assure that .gov sites take security seriously. I'll much
rather have them go a bit overboard than underboard (?? is that a
word ??) on that account.

> > Just as they require firewalls, file based security and other
> > security features we almost take for granted with Linux these days.
> Next you'll be wanting to use ACL's too.

When needed, sure. Try to implement shared access to web-root
directories without it. Of course, if your approach to all
administration is a single shared root account you're basically
rejecting the need for control and audit. Maybe that's where we
fundamentally differ.

> > Basic SELinux is not that hard to learn. We've got plenty of tools that
> > makes basic trouble-shooting a breeze.
> Maybe...but what does it really buy me? Going from 98% Secure to 99% 
> Secure doesn't thrill me.

Ehhh - wrong numbers. Without SELinux (or AppArmor I guess) you're at
50%. With the default SELinux you're close to 75% but you still have a
great weak-point in a single shared account with no accountability for
changes. Once you change SELinux to full enforcement and remove root's
ability to turn selinux off and change settings that would elevate it to
change settings that locks root, we get close to 95-98%. Nothing is 100%
- but with SELinux we can make sure that compromises doesn't spread like
wildfire. 

> I am totally happy with "I'm Root and You're Not". That's all the 
> Security I need. Simple to understand, simple to use.

That may have worked in the early days of Unix where simplicity was key.
Systems have become more complex. We have machines with 64 "processors"
and we multi-purpose them running a ton of instances of "separate"
things. Ie. multiple app servers, ftp etc. over virtual ips. Systems
like this have to have compartmentalized protections enforced by
policies so one bad apple doesn't compromise the whole box. You have no
way to implement security walls between apps unless you use something
like SELinux.

I'll grant you that if your system is single purposed it has less
relevance (but it still prohibits someone from taking your apache and
turning it into a spam-bot). But I don't know where you can even buy
servers today that doesn't have 8-16 cores at a minimum - and those are
even hard to find too.

> Oddly enough, I do like Capabilities tho.

I feel the same about other features. I like PAM because of all the
stuff I can do with it, but I find it rarely necessary to mess with it.
But I like that I _can_ do it. 

-- 
Best Regards
  Peter Larsen

Wise words of the day:
Footnotes are for things you believe don't really belong in LDP manuals,
but want to include anyway.
	-- Joel N. Weber II discussing the 'make' chapter of LPG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20120315/d9c7c44d/attachment.asc>


More information about the Novalug mailing list