[CentOS] SELinux - way of the future or good idea but !!!

Marko Vojinovic vvmarko at gmail.com
Sun Nov 28 18:29:47 EST 2010


On Sunday 28 November 2010 19:28:17 Les Mikesell wrote:
> On 11/28/10 1:06 PM, Jorge Fábregas wrote:
> > There has been a lot of progress with SELinux lately. I think you should
> > reconsider your position and perhaps give it a try on the upcoming CentOS
> > 6 where the targeted policy is much matured.
> 
> SELinux has been around many years now.  Are there any objective metrics we
> can observe instead of having people rant about their own opinions here?
> 
> Things like:
>     Number of bugs posted against SELinux itself.

If you mean actual SELinux code (built in the kernel), it's a reasonably 
simple thing, AFAIK. In a nutshell, it takes the label of the app trying to 
gain some access, the label of the file being accessed, and looks up in a table 
of rules (the policy) to see if the two are compatible. It isn't much different 
than the permissions system or the firewall. I don't expect any serious number 
of bugs reported against the code that implements that kind of thing.

If, however, you mean the SELinux policy, this is a moving target --- it 
evolves and changes even without bug reports, so any potential number of 
reported bugs would not be much useful as a meaningful piece of metric.

>     Measured hours of effort to learn the system well.

man chcon
man restorecon
man semanage

That gives you all operational knowledge one typically needs when dealing with 
SELinux. Of course, you can always invest more time and read a more elaborate 
piece of documentation, if you wish.

But for a reasonably capable sysadmin, reading three man pages is not a 
terrible effort, it can be done in less than one hour.

>     Ratio of security breeches expected on systems that do/don't include
> SELinux. Lists of 3rd party apps that do/don't work with SELinux.

I wouldn't know the typical ratio itself as a number, but I can tell you it is 
surely less than one. I had three identical systems compromised at the same 
time (one of the users had a weak password, and he used the same password on 
all three machines... you wouldn't believe...). Two systems had SELinux 
disabled, the third one had it enabled. For the first two, intruder managed to 
escalate to root and I had a busy weekend reinstalling those machines from 
scratch afterwards. For the third one, the intruder never managed to escalate 
to root, and this was clearly visible in SELinux and other system logs. I 
simply purged that user account and had everything working in no time.

So in essence, there is at least one machine (that I know of first-hand) where 
SELinux prevented a serious intrusion. Therefore, the do/don't ratio of 
breaches is surely less than one. :-)

> Without those, it's all handwaving and if there aren't any real metrics
> it's fair to assume the value isn't worth the trouble you can expect.

If there aren't any real metrics, it's only safe not to assume anything. The 
pain/gain ratio can only be estimated for each particular case separately. If 
it doesn't give you too much pain, SELinux is certainly a good thing to have 
around, in enforcing mode. :-)

Best, :-)
Marko





More information about the CentOS mailing list