On Mon, Jun 18, 2007 at 12:18:40PM -0600, Stephen John Smoogen wrote:
On 6/18/07, Stephen Harris lists@spuddy.org wrote:
I've never said there are _no_ cases for SELinux. I was questioning it as a general rule for all machines.
Several of the problems were machines that were not connected to the internet or were deep behind firewalls. The problems were that all it takes is one user who doesnt think well to make all those firewalls/issues useless. E.G the person who coming in from work finds a nice shiney USB fob and plugs it into a work computer to see who it belonged to so they could return it. The guy who downloads an
[ etc ]
This is why I mentioned "risk profile" in another message. You evaluate the perceived risk, the likely-hood of the event happening, the cost of the event, the "cost" of a potential solution and perform an analysis.
So one might rank the items this: external facing servers: high risk! Automated attacks possible Desktop work stations: moderate. User stupidity highest attack vector General compute server: low risk. Only "trained" staff have access.
Each of those profiles have different uses and require different solutions.
On a DMZ machine you probably wouldn't use unauthenticated naming services (eg LDAP with SSL certs is OK, NIS is bad!). SELinux or SEOS is a very good idea. chroot'd daemons, maybe read-only filesystems, disable unecessary setuid programs, minimal install. Disable hotplug ports.
On a desktop you need GUIs. Centralised naming services. Roaming profiles. Maybe a netboot'd image (no local storage). Disable hotplug ports, or at least minimise scope so that only authorised devices (Blackberry's, whatever) can sync. In particular mass storage isn't allowed. End users don't have root access.
General compute server... well, now we have further ranking; prod/dev/uat boxes have different risk profiles. SOX scoped boxes even more.
And so on.
(Umm, sorry for going on... I work in an area where these things are every day considerations so...)
up to you as the site administrator to determine what is safe enough
Actually, in large companies you have a whole risk organisational structure whose job it is to evaluate these things and determine policy. They straddle the line between technology (my side) and business (my customer) needs and try to balance the two.
for Your Site using appropriate risk management. If you believe your site has enough methods of protection or are that the cost of extra security (selinux) is not appropriate for your risk model.. you can turn it off.
I'd argue the opposite; if you feel you the risk exposure is such that you need the protection then enable it. I've listed cases where this is the case.
That cases exist for SELinux does not mean it should be on by default, and is definitely not deserving of a sheeplike response whenever anyone proposes otherwise.