[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 18:55:32 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 08/12/10 17:10, Les Mikesell wrote:
> On 12/8/2010 4:04 AM, David Sommerseth wrote:
[...snip...]
>>> Agreed, and something that equally needs standardization.
>>
>> iptables is a de-facto standard on all Linux distributions nowadays.  It
>> is not ratified by ISO, IETF or similar ... but how does that make the
>> real life scenario any different?  That's just a piece of paper.
>> iptables works, and so does SELinux - when you learn how to use it.
> 
> The real life situation is that iptables only works on linux and the way 
> it works is distribution-dependent.  So what you learn may lock you into 
> a platform that may not always be your best choice.

Please educate me here.  I've been using Novell SuSE Linux,
RHEL/CentOS/Fedora, Gentoo, Crux Linux, RootLinux, Slackware, Ubuntu and
my N900's maemo5 which is Debian based and OpenWRT based routers ... and
I have not seen iptables behave differently than expected on any of
these ... I don't completely understand your argument.

Some of these distroes does indeed have their own additional tools, like
YaST2, ufw, system-config-firewall, etc, etc ... That will be different,
but they all use iptables under the hood.  I'm not talking about the
simplified iptables front-end, as that *is* expected to be different.

>> SELinux came as a result that someone found weaknesses and wanted to try
>> avoid security issues.  Just like when firewalls began to become so
>> popular 20-30 years ago or so.  There was a need to improve something,
>> and someone did the job.  Nobody cared much about firewalls in the early
>> 80's.  Why?  Maybe because nobody thought anyone would abuse or misuse
>> the network infrastructure?
> 
> Does that mean you would not be comfortable moving your applications to 
> SUSE, Solaris, OS X, Windows, etc.?   I don't want that kind of lock-in.

Considering Debian is on the move towards SELinux (Lenny installs
SELinux packages by default, just not enabled by default), openSuSE is
moving towards SELinux[1], Gentoo have hardened/SELinux projects going
on ... so moving from RHEL/CentOS to other Linux distros will not be an
issue in the future.  Since I see that SELinux do begin to get some
traction in other distroes as well, so I am not worried about a
"lock-in" on SELinux.

When it comes to Solaris, OSX and Windows, that is not comparable, as
when you base your installations on Linux, you already at that point to
limit yourself somewhat.  And those OSes got completely other security
mechanisms.  If they are comparable, better or worse than SELinux, I
don't know - because I prefer Linux in general - as it is a F/OSS
product.  But with the knowledge I now have with SELinux, I would be
reluctant to move over to a platform which do not have something similar.

[1]
<http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/>

>> SELinux has been around for about a decade or so.  And I believe that
>> the more widespread SELinux becomes, and the more users it gets, the
>> more people will not understand such discussions like this.
> 
> Agreed - if it is as standard and cross-platform as Posix support you 
> will be able to depend on it without the associated side effect of being 
> locked to a particular OS distribution.

First of all SELinux is written for Linux.  Or else it would probably
have been called SEPosix.

Second, iptables is a de-facto standard for Linux, just as pf is pretty
much the standard firewalling on BSD.  Windows and Solaris got their own
firewalling methods as well.  My point is, neither of them are any Posix
standards ... would you prefer to not use any of these firewall
implementations due to lack of cross-platform Posix support?


kind regards,

David Sommerseth