[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 19:45:02 UTC 2010
Marko Vojinovic <vvmarko at gmail.com>

On Tuesday 07 December 2010 16:59:22 Benjamin Franz wrote:
> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
> > Yes SELinux and all MAC systems require that if the administrator puts
> > files in non default directories, then they have to have to be told.  In
> > the case of SELinux, this involves correcting the labeling.  DAC has
> > similar problems, in that you need to make sure the permission flags and
> > ownership is correct.  Of course admins have been dealing with DAC for
> > years so they understand it, and the number of UID/Permision
> > combinations is more limited then the amounts of labels that SELinux
> > presents.
> 
> The fact remains that as the old saw goes: Make it hard enough to do
> something and people will quit doing it.

Precisely --- make it hard enough for people to keep files in non-default 
location, and use the broken/unsafe configuration of various services, and 
eventually people will learn how to do things properly. ;-)
 
> SELinux remains *hard* for most non-default users. As the lead SE
> developer, things you find utterly routine and only slightly annoying
> are major roadblocks to many other people. You aren't the average user.
> You aren't even close to one. A *sophisticated* user will see the
> suggestion given by sealeart to run chcon, follow it, *and have no idea
> that a system relabel can screw it up again*. sealert doesn't even
> mention the issue! It is as if the person who wrote the sealert messages
> never considered that people would like things fixed permanently rather
> than just until the next SELinux update relabels the system.

Oh, come on, any "sophisticated" user will RTFM !! Hopefully *before* 
executing anything completely blindly, as root.

Just man semanage and man restorecon. How hard can that be?!
 
> I have 15 years experience running Linux servers. And I find SELinux
> damn annoying. I can work with it at need - but I'm generally pissed off
> when I find 'yet another SELinux issue'. My boss, who is the fallback
> admin here, would find it utterly opaque. He would have no idea where to
> even start looking for an SELinux issue.

Two man pages are too hard for your boss to read and understand?! I find it 
hard to believe that any tech-savvy admin is too incompetent to learn how to 
use a new tool (any new tool, including SELinux). Computers in general are a 
fast-moving target, and people who cannot keep up should get retired and find 
something else to do, or hire someone to help/teach them.

I find the slow adoption of SELinux to be a psychological rather than a 
technical issue. Once, out of nowhere, there just appeared this new thing, 
going by the name "Security Enhanced Linux", and it tells people in the face 
that the way they configured their systems for the past n years is unsafe, 
insecure, full of security holes and a Bad Idea in general. And since their 
ego gets hurt in the process, they choose to disable SELinux rather than learn 
how to use it properly.

On that note, I know people who still routinely log into X as root, and refuse 
to acknowledge that it is a Very Bad Idea. Just look at the mess in Windows 
world --- there *are* proper user accounts with limited permissions and all, 
quite available and easy to configure. And how many people bother to use them? 
It's much easier to just be root, right? Why bother with all that permissions 
stuff? After all, it's so utterly opaque to any sophisticated user, right? My 
boss would never even think of executing "ls -l" to check for proper file 
permissions, let alone read a manual for chmod and chown...

I mean, what are we talking about here? SELinux is another security layer, and 
it reduces the number of wrong ways you can configure your system. And if you 
insist to do things in the wrong way, it yells at you and you need to decide 
what to do about it (either shut it up or reconfigure things properly). Every 
serious admin finds such a tool quite useful, at least as a real-time guide to 
proper system configuration, let alone intrusion prevention mechanism.

And it isn't really rocket science. It's just an extension to the existing 
classical permissions system --- it works in analogous way, just with greater 
flexibility and power. If you know how to understand and use file permissions, 
you will easily grasp all about SELinux.

And if you are running 3rd party software which isn't SELinux aware, you have 
several choices, in order of preference:

1) contact the software devs and complain that their software is broken
2) contact your boss and tell him that running such software is bad for 
securuty and that he should consider migrating to something with better 
support
3) use semanage, restorecon, audit2allow to modify the local policy, and have 
your boss sign a document releasing you of any responsibility if an intrusion 
happens through this vector
4) run SELinux in permissive mode, and try to learn from the alerts about all 
the things your system is doing wrong
5) disable SELinux and be ignorant about security.

If you choose 5), feel free to also disable iptables, log in as root all the 
time, and make sure that the root password is clearly visible on the company 
website. Why bother with all that stuff, anyway? ;-)

HTH, :-)
Marko