On 11/29/2010 10:52 AM, Lamar Owen wrote:
On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
Agreed, but not everyone has time to do both - or to learn lots of distribution-specific details in mixed environments. My opinion is that doing the simple stuff first is a win. And that works the same on systems that don't include SELinux.
The simple stuff on the Fedora box with SELinux is using the targeted policy in enforcing mode. Updates are easy, but there is always a lag from vulnerability discovery to vulnerability patching.
Security isn't simple. The mantra 'just disable SELinux, you don't need it anyway because it's too big of a pain and apps that aren't part of the tested distribution can break' is oversimplifying a complex issue. My opinion is that I'm not going to run third party apps that break in that way, and I'm going to let the developers know why.
The user/group/other unix permission set is simple and it works unless something is broken. If you can't get that right you have no hope of doing better with anything else. More complex systems existed before unix and the argument that simplifying the setup to something understandable was a win was correct then and still is. The concept of adding layers is OK, but not if you don't get the simple version right first and make an effort not to run broken software.
SELinux is a powerful tool in helping combat zero day exploits from succeeding, in many cases.
And it also keeps most 3rd party software from working.
I'd ask you to qualify most.
Pretty much anything that needs to write files outside of the home directory of the owning user. Certainly anything that uses apache with its own data store.
All of the third-party software I run seems to run just fine, as long as the right contexts are applied.
Well, obviously it will work after someone takes the time to make it work. Now it is your turn to quantify: How much would you charge to teach someone to be able to make those changes and how long would it take? This has to include the ability to quickly diagnose and fix any problem that might be caused by updates to the application or to the OS distribution.