[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 1 12:44:28 UTC 2010
Nico Kadel-Garcia <nkadel at gmail.com>

On Wed, Dec 1, 2010 at 12:52 AM, Geoff Galitz <geoff at galitz.org> wrote:
>>>> I would guess no one knows.  But all of my CentOS installs are OOB as
>>>> concerning SELinux, except the two scalix installs, which have some
>>>> custom
>>>> 'stuff' thanks to the scalix instance naming.
>>>
>>> All I know is at the last two companies I worked at - AT&T, a small team
>>> building software for the NOC, a smaller root CA, and here at the federal
>>> agency I'm at, we either turned it off, or have it set to permissive.
>>
>> I disabled it on the last 1000 hosts *I* installed....
>
>
> Hmmm... it would be interesting take some Centos systems with production
> like deployments (say 3 with SELinux and 3 without) and ask a professional
> pen-tester to try to get into them.
>
> Anyone willing to contribute funds (or time) to such a study?  It would be
> educational experience and good PR, at the least.

Oh, I know the holes and which would be straightforward to get to.
There's generally enough lower hanging fruit with NFS stored
passwords, email with passwords, and poorly managed elevation via SSH
keys as policies before I even got there that this protection is like
putting a bike lock on a jello mold.