On 11/29/2010 10:17 AM, Lamar Owen wrote:
On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
But that means you were running software with vulnerabilities or a user would not be able to become root anyway. Is that due to not being up to date (i.e. would normal, non-SELinux measures have been enough), or was this before a fix was available?
By definition we are all running software with vulnerabilities. Those vulnerabilities may not be public knowledge yet, but they are there, and many are likely known by the blackhats already, and kept 'mum.'
Fixing vulnerabilities and keeping up to date alone is insufficient to keep you secure. Can you say 'zero day?'
Agreed, but not everyone has time to do both - or to learn lots of distribution-specific details in mixed environments. My opinion is that doing the simple stuff first is a win. And that works the same on systems that don't include SELinux.
SELinux is a powerful tool in helping combat zero day exploits from succeeding, in many cases.
And it also keeps most 3rd party software from working. If you are storing credit card numbers or personal information that would be expensive to leak, then you obviously need to make every effort possible to block intrusion, although the people who regulate this stuff don't require SELinux explicitly. But not all machines do that.
I've run with SELinux in enforcing (targeted) mode on my laptop, now, since Fedora 11, and have only had two issues that required some head-scratching. One was solved by a relabel. The other was a little more devious, but a little tweaking which in permissive mode showed me the solution. I did learn a couple of really good lessons from that, though. The first was to always keep a Fedora Live boot media with the laptop (CD or USB, or another partition on the hard disk). The second was that there are some updates that must occur in pairs, and occasionally a relabel of at least part of the filesystem is going to be required. But that's not hard to trigger, and isn't that inconvenient.
How much 3rd party software do you run where someone else has not already spent the time to work out the policies needed to let it work?