On Tue, December 30, 2014 03:18, Digimer wrote:
What possible reason could they have for that?
On 30/12/14 02:17 AM, Laurent Dumont wrote:
By any change, is it a VPS? I know that my CloudAtCost (very cheap but extremely unreliable provider) prevents you from using SeLinux on their Centos image.
No mysterious breakages == lower support costs. The same reason MicroSoft shipped everything on and open for years and thereby built up the malware industry from scratch.
On Tue, December 30, 2014 3:45 pm, James B. Byrne wrote:
On Tue, December 30, 2014 03:18, Digimer wrote:
What possible reason could they have for that?
On 30/12/14 02:17 AM, Laurent Dumont wrote:
By any change, is it a VPS? I know that my CloudAtCost (very cheap but extremely unreliable provider) prevents you from using SeLinux on their Centos image.
No mysterious breakages == lower support costs. The same reason MicroSoft shipped everything on and open for years and thereby built up the malware industry from scratch.
I have that vague feeling that what I'm about to say will probably be declared wrong... Still. From the very beginning I do not consider SELinux adding to the security of the system. How can it if it can be turned off on the fly? On the other hand, it adds hundreds of thousands of lines to kernel code which does exactly opposite: deteriorates security by potentially introducing bugs. I discovered at some point that there are other people out there who share this opinion ;-)
So, my question is: can someone design attack scenario which would be successful if it were not for SELinux, and which is thwarted by SELinux. Note that the fact that script kiddie just forgot to put as a first line
/usr/sbin/setenforce 0
doesn't make such example a solid case pro SELinux for me.
Thanks a lot for your insight! (Always hoping to learn ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 30/12/14 22:07, Valeri Galtsev wrote:
I have that vague feeling that what I'm about to say will probably be declared wrong... Still. From the very beginning I do not consider SELinux adding to the security of the system. How can it if it can be turned off on the fly? On the other hand, it adds hundreds of thousands of lines to kernel code which does exactly opposite: deteriorates security by potentially introducing bugs. I discovered at some point that there are other people out there who share this opinion ;-)
So, my question is: can someone design attack scenario which would be successful if it were not for SELinux, and which is thwarted by SELinux. Note that the fact that script kiddie just forgot to put as a first line
/usr/sbin/setenforce 0
doesn't make such example a solid case pro SELinux for me.
Thanks a lot for your insight! (Always hoping to learn ;-)
Disabling SELinux requires root privileges at which point most all security implimentations are pretty useless.
Firewalls add much code to the kernel and can also be "turned off on the fly" by any "script kiddie" with root privileges. Should we discount them too?
IMHO your arguments are weak with bad examples. The questions you should be asking is how effective would SELinux be in preventing an initial remote exploit, or preventing an attacker gaining further escalation of privileges once they have gained access to the system.
In answer to your question, you will find lots of good real life examples in Dans' blog here:
On Tue, December 30, 2014 6:41 pm, Ned Slider wrote:
On 30/12/14 22:07, Valeri Galtsev wrote:
I have that vague feeling that what I'm about to say will probably be declared wrong... Still. From the very beginning I do not consider SELinux adding to the security of the system. How can it if it can be turned off on the fly? On the other hand, it adds hundreds of thousands of lines to kernel code which does exactly opposite: deteriorates security by potentially introducing bugs. I discovered at some point that there are other people out there who share this opinion ;-)
So, my question is: can someone design attack scenario which would be successful if it were not for SELinux, and which is thwarted by SELinux. Note that the fact that script kiddie just forgot to put as a first line
/usr/sbin/setenforce 0
doesn't make such example a solid case pro SELinux for me.
Thanks a lot for your insight! (Always hoping to learn ;-)
First of all, thanks for your input!
Disabling SELinux requires root privileges at which point most all security implimentations are pretty useless.
Not necessarily. There was (or still is?) kernel patch by Purdue University folks, called LIDS (Linux Intrusion Detection System, if my memory doesn't fail me). It is slightly different from what the name suggests. Basically, upon successful boot root is demoted to user nobody. That's it, you can be root, you can not do anything. Administering such system is a bitch (you only can make changes off line). But try to break into this. So, there is at least one implementation. Incidentally, LIDS was too a candidate into mainstream kernel, but somehow SELinux won, or maybe the last didn't affect it...
Firewalls add much code to the kernel and can also be "turned off on the fly" by any "script kiddie" with root privileges. Should we discount them too?
IMHO your arguments are weak with bad examples. The questions you should be asking is how effective would SELinux be in preventing an initial remote exploit, or preventing an attacker gaining further escalation of privileges once they have gained access to the system.
I wouldn't argue on that. My teaches kept repeating there are no stupid questions, stupid is not to ask questions... To learn what good something does _is_ helpful, no argument. To ask what can do better than existing solution may be more productive as encouraging to move farther.
In answer to your question, you will find lots of good real life examples in Dans' blog here:
Thanks for the link, I'll do my careful reading, I likely will change my opinion some... we'll see. My trouble may be: I definitely will compare what I read with LISD subconsciously ;-(
Thanks again!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Tue, Dec 30, 2014 at 04:07:25PM -0600, Valeri Galtsev wrote:
So, my question is: can someone design attack scenario which would be successful if it were not for SELinux, and which is thwarted by SELinux. Note that the fact that script kiddie just forgot to put as a first line
/usr/sbin/setenforce 0
doesn't make such example a solid case pro SELinux for me.
If this attack scenario is attacking a service running as root (which would be required to setenforce 0), it'd still be prevented as long as the service runs in a confined domain that would have rules to stop it (which most services have, for obvious reasons).
This is one of the reasons why its best to run the packaged software, in standard locations. Running apache from /usr/local/apache-1.2.3/sbin/httpd instead of /usr/sbin/httpd would mean it would be missing the wrong context and wouldn't have all the built-in protection included in the SELinux httpd policy.