[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 17:38:20 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 11/29/2010 10:52 AM, Lamar Owen wrote:
> On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
>> Agreed, but not everyone has time to do both - or to learn lots of
>> distribution-specific details in mixed environments.  My opinion is that
>> doing the simple stuff first is a win.  And that works the same on
>> systems that don't include SELinux.
>
> The simple stuff on the Fedora box with SELinux is using the targeted policy in enforcing mode.  Updates are easy, but there is always a lag from vulnerability discovery to vulnerability patching.
>
> Security isn't simple.  The mantra 'just disable SELinux, you don't need it anyway because it's too big of a pain and apps that aren't part of the tested distribution can break' is oversimplifying a complex issue.  My opinion is that I'm not going to run third party apps that break in that way, and I'm going to let the developers know why.

The user/group/other unix permission set is simple and it works unless 
something is broken. If you can't get that right you have no hope of 
doing better with anything else.  More complex systems existed before 
unix and the argument that simplifying the setup to something 
understandable was a win was correct then and still is.   The concept of 
adding layers is OK, but not if you don't get the simple version right 
first and make an effort not to run broken software.

>>> SELinux is a powerful tool in helping combat zero day exploits from succeeding, in many cases.
>>
>> And it also keeps most 3rd party software from working.
>
> I'd ask you to qualify most.

Pretty much anything that needs to write files outside of the home 
directory of the owning user.  Certainly anything that uses apache with 
its own data store.

> All of the third-party software I run seems to run just fine, as long as the right contexts are applied.

Well, obviously it will work after someone takes the time to make it 
work.  Now it is your turn to quantify:  How much would you charge to 
teach someone to be able to make those changes and how long would it 
take?  This has to include the ability to quickly diagnose and fix any 
problem that might be caused by updates to the application or to the OS 
distribution.

-- 
   Les Mikesell
    lesmikesell at gmail.com