[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 03:28:27 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 12/7/10 8:28 PM, Marko Vojinovic wrote:
>> I think you've missed the point that 'all that stuff' (being traditional
>> unix security mechanisms) are not all that insecure.  It is only when you
>> get them wrong that you need to fall back on selinux as a safety net.
>> And if you can't get the simple version right, how can you hope to do it
>> right with something wildly more complicated?
> My comment was ironic --- the point is that if you decide you don't need one
> security layer, why don't you decide that you actually don't need another, and
> another, and... all of them?

Well, one reason might be that you've used those other standards-ratified layers 
for decades and the only problems you've ever had were caused by stupid 
programming.  So you don't expect adding another layer of programming that isn't 
standardized across platforms to solve all your problems.

> Disabling SELinux is the same type of decision as disabling the firewall ---
> it's there to protect you, yet you don't know how to properly configure it and
> use it, furthermore you don't want to bother to learn, so you simply disable
> the thing that's getting in your way and preventing you from doing what you
> want (which is typically very stupid securitywise, but ignorant don't care
> anyway...).

Or you might use a hardware firewall platform so you don't have to deal with all 
the bizarrely different ways every system  you touch handles software firewalling.

> And I could argue that iptables configuration is at least equally complex as
> SELinux configuration.

Agreed, and something that equally needs standardization.

> So I would expect the admin who disables SELinux by default to also disable
> the firewall by default --- they both get in your way, especially if you use
> some 3rd party software that requires both of them to be custom-configured.

No, I would expect the admin who disables SELinux to be managing thousands of 
machines, many different OS versions, with programs from hundreds of sources 
running on them, with those hundreds of software sources not catering to the 
non-standard needs of one particular platform.

> But I don't see anyone suggesting that disabling the firewall would be a good
> idea, so why disable SELinux then? Once you go down the "I don't need this
> security layer" road, where do you stop, and why?

Anyone who started before SELinux was around is probably quite comfortable 
without it.  And perhaps the same for iptables or software/host based firewalls, 
though not firewalling in general.

   Les Mikesell
    lesmikesell at gmail.com