[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Sat Nov 19 23:14:14 UTC 2005
Lamar Owen <lowen at pari.edu>

> On Sat, 2005-11-19 at 14:02, Lamar Owen wrote:
>> So much for older and simpler is
>> better; why don't we go back to VMS?  It's substantially more secure
>> than
>> Linux (the Linux kernel and heritage is not 30 years old, because Linux
>> is
>> not Unix).
>
> The VMS model isn't older and simpler than unix - it is more complex and
> around the same age.

It is slightly more complex, and demonstrably more secure.

> system.  People have had a choice between VMS and unix for a long time
> and VMS found a very small niche of popularity.

I have SIMH under Linux running OpenVMS Hobbyist 7.3 here.  It's a fun
system.

> No, the kernel provides the mechanism of chroot, and has more or less
> forever.  A policy of using it or not is left up to you.  Simplicity
> in the kernel.

This is not unlike the mechanism of SELinux's RBAC/MAC being in the kernel
(and not terriby complex; yes, more complex than chroot, but perhaps not
as complex as netfilter), but the policy in userland.

>> The other typical answer to exploits is firewalling: pray tell where
>> that
>> policy is enforced.

> The best place is on a separate box from anything that it should be
> protecting.

Regardless, it's in the kernel on that box, if that box is a linux box. 
Lots of people use netfilter, and it has not been without its own bugs. 
And it's pretty complex, and in the kernel.

But kernel versus userspace isn't going to get settled here; this isn't
the microkernel-versus-monolithic-kernel mailing list.  CentOS has a
monolithic kernel that has loaded SELinux code, even if you set SELinux to
be off.  Netfilter code is in the kernel, whether you setup any iptables
or not.  The kernel is complex; even if the feature (SELinux) isn't
enabled bugs in that code could theoretically get you.  So turning it OFF
(which isn't really off) versus permissive isn't really much.  Otherwise
you need to compile a kernel without it completely.

I don't think we're going to find any profound truths on either side of
this discussion;  I simply have issue with the automatic 'old admin's
tales' to turn it off.  And I have issue with the mindset of answering a
question on a problem an interested user/sysadmin has with SELinux with
'just turn it off.  It breaks too many things.'  That is wrongthink.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu