[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 16:10:50 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 12/8/2010 4:04 AM, David Sommerseth wrote:
>
>>> Disabling SELinux is the same type of decision as disabling the firewall ---
>>> it's there to protect you, yet you don't know how to properly configure it and
>>> use it, furthermore you don't want to bother to learn, so you simply disable
>>> the thing that's getting in your way and preventing you from doing what you
>>> want (which is typically very stupid securitywise, but ignorant don't care
>>> anyway...).
>>
>> Or you might use a hardware firewall platform so you don't have to deal with all
>> the bizarrely different ways every system  you touch handles software firewalling.
>
> You still need to learn how to use that hardware firewall, though.

Our network group is much smaller than the group that installs and 
maintains servers, so specialized knowledge about one specific product 
is not so unreasonable.  Plus, code updates to networking equipment are 
rare and breaking existing configurations almost unheard of.  And 
changing the firewall platform has no side effects on any applications 
that might be running on the network behind them.


>> Agreed, and something that equally needs standardization.
>
> iptables is a de-facto standard on all Linux distributions nowadays.  It
> is not ratified by ISO, IETF or similar ... but how does that make the
> real life scenario any different?  That's just a piece of paper.
> iptables works, and so does SELinux - when you learn how to use it.

The real life situation is that iptables only works on linux and the way 
it works is distribution-dependent.  So what you learn may lock you into 
a platform that may not always be your best choice.

> SELinux came as a result that someone found weaknesses and wanted to try
> avoid security issues.  Just like when firewalls began to become so
> popular 20-30 years ago or so.  There was a need to improve something,
> and someone did the job.  Nobody cared much about firewalls in the early
> 80's.  Why?  Maybe because nobody thought anyone would abuse or misuse
> the network infrastructure?

Does that mean you would not be comfortable moving your applications to 
SUSE, Solaris, OS X, Windows, etc.?   I don't want that kind of lock-in.

> SELinux has been around for about a decade or so.  And I believe that
> the more widespread SELinux becomes, and the more users it gets, the
> more people will not understand such discussions like this.

Agreed - if it is as standard and cross-platform as Posix support you 
will be able to depend on it without the associated side effect of being 
locked to a particular OS distribution.

-- 
     Les Mikesell
       lesmikesell at gmail.com