On Tuesday 07 December 2010 16:59:22 Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has similar problems, in that you need to make sure the permission flags and ownership is correct. Of course admins have been dealing with DAC for years so they understand it, and the number of UID/Permision combinations is more limited then the amounts of labels that SELinux presents.
The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it.
Precisely --- make it hard enough for people to keep files in non-default location, and use the broken/unsafe configuration of various services, and eventually people will learn how to do things properly. ;-)
SELinux remains *hard* for most non-default users. As the lead SE developer, things you find utterly routine and only slightly annoying are major roadblocks to many other people. You aren't the average user. You aren't even close to one. A *sophisticated* user will see the suggestion given by sealeart to run chcon, follow it, *and have no idea that a system relabel can screw it up again*. sealert doesn't even mention the issue! It is as if the person who wrote the sealert messages never considered that people would like things fixed permanently rather than just until the next SELinux update relabels the system.
Oh, come on, any "sophisticated" user will RTFM !! Hopefully *before* executing anything completely blindly, as root.
Just man semanage and man restorecon. How hard can that be?!
I have 15 years experience running Linux servers. And I find SELinux damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue.
Two man pages are too hard for your boss to read and understand?! I find it hard to believe that any tech-savvy admin is too incompetent to learn how to use a new tool (any new tool, including SELinux). Computers in general are a fast-moving target, and people who cannot keep up should get retired and find something else to do, or hire someone to help/teach them.
I find the slow adoption of SELinux to be a psychological rather than a technical issue. Once, out of nowhere, there just appeared this new thing, going by the name "Security Enhanced Linux", and it tells people in the face that the way they configured their systems for the past n years is unsafe, insecure, full of security holes and a Bad Idea in general. And since their ego gets hurt in the process, they choose to disable SELinux rather than learn how to use it properly.
On that note, I know people who still routinely log into X as root, and refuse to acknowledge that it is a Very Bad Idea. Just look at the mess in Windows world --- there *are* proper user accounts with limited permissions and all, quite available and easy to configure. And how many people bother to use them? It's much easier to just be root, right? Why bother with all that permissions stuff? After all, it's so utterly opaque to any sophisticated user, right? My boss would never even think of executing "ls -l" to check for proper file permissions, let alone read a manual for chmod and chown...
I mean, what are we talking about here? SELinux is another security layer, and it reduces the number of wrong ways you can configure your system. And if you insist to do things in the wrong way, it yells at you and you need to decide what to do about it (either shut it up or reconfigure things properly). Every serious admin finds such a tool quite useful, at least as a real-time guide to proper system configuration, let alone intrusion prevention mechanism.
And it isn't really rocket science. It's just an extension to the existing classical permissions system --- it works in analogous way, just with greater flexibility and power. If you know how to understand and use file permissions, you will easily grasp all about SELinux.
And if you are running 3rd party software which isn't SELinux aware, you have several choices, in order of preference:
1) contact the software devs and complain that their software is broken 2) contact your boss and tell him that running such software is bad for securuty and that he should consider migrating to something with better support 3) use semanage, restorecon, audit2allow to modify the local policy, and have your boss sign a document releasing you of any responsibility if an intrusion happens through this vector 4) run SELinux in permissive mode, and try to learn from the alerts about all the things your system is doing wrong 5) disable SELinux and be ignorant about security.
If you choose 5), feel free to also disable iptables, log in as root all the time, and make sure that the root password is clearly visible on the company website. Why bother with all that stuff, anyway? ;-)
HTH, :-) Marko