[CentOS] SELinux - way of the future or good idea but !!!

Sun Nov 28 17:31:28 UTC 2010
Benjamin Franz <jfranz at freerun.com>

On 11/27/2010 02:52 PM, Marko Vojinovic wrote:
> On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
>> On 11/26/2010 05:17 PM, Patrick Lists wrote:
>>> What's with people recommending to turn off SELinux?! That's just bad
>>> advice and like recommending people keep their doors unlocked at all
>>> times. Really, stop doing that. SELinux is there for a reason.
>> SELinux is like a automatic collision avoidance system for an airplane
>> that unpredictably crashes the plane during normal flight. While the
>> basic idea is good, until it stops crashing planes without warning it
>> isn't going to be accepted.
> I don't understand this analogy. I have never seen SELinux crashing the system
> or doing some damage otherwise. What experience do you have with SELinux
> crashing anything on a working system?
>

My experience with SELinux updates are that you can't predict. It could 
be filling up your disk with logs it forgot to delete after rotateing . 
It could be breaking X, disabling a previously working Apache 
configuration, breaking previously working mail systems, and so on.

>> It is not enough that it mitigates certain classes of attacks when it
>> actively breaks running systems *more often* than it mitigates attacks.
>> And that is my personal experience. Every year or two I try turning it
>> on on a few systems. And then, after it suddenly decides to break a
>> previously stable system - it gets turned back off.
> If your system was running for some time with SELinux disabled (not in
> permissive mode, but disabled), turning it on without doing a proper
> relabeling of the filesystem is known to be a very Bad Idea. Typically all
> problems that occur in this situation can be eliminated by relabeling the
> whole filesystem once. Maybe that was the step you missed?

No. I didn't phrase it clearly enough. I build systems fairly 
frequently. And periodically I'll decide that one of them will have 
SELinux turned on right from the start. And after I spend the time to 
make everything happy, it will work. The system will be stable. For a while.

And then, one day, it won't work. Worse - it doesn't always *log* what 
it is doing in a way that you can figure out. Occasionally not at all. 
So you spend a few hours poking at the system until you try the magic of 
turning off SELinux. And then it starts working again.

My experience is that *unless you have a system configured exactly like 
the defaults*, SELinux is prone to suddenly deciding after an update 
that it doesn't like your configuration anymore. Once because an update 
to SELinux changed the labeling on an existing directory tree - blowing 
away my own applied labeling with no warning. And there are even RH 
supplied rpms that *do not work* with SELinux without being SELinux 
being tweaked first.

I've had one machine (of several dozen running) hacked in 15 years 
(entirely because I forgot to keep it updated). It was several years ago.

I've had several instances of SELinux breaking a previously stable 
system after an update to SELinux or its policies. On about the same 
number of machines. The most recent within the last year.

I've been burned by SELinux's misbehavior multiple times. It will take a 
very long time for it to earn my trust again.

-- 
Benjamin Franz