[CentOS] SELinux - way of the future or good idea but !!!
vvmarko at gmail.com
Sun Nov 28 18:29:47 EST 2010
On Sunday 28 November 2010 19:28:17 Les Mikesell wrote:
> On 11/28/10 1:06 PM, Jorge Fábregas wrote:
> > There has been a lot of progress with SELinux lately. I think you should
> > reconsider your position and perhaps give it a try on the upcoming CentOS
> > 6 where the targeted policy is much matured.
> SELinux has been around many years now. Are there any objective metrics we
> can observe instead of having people rant about their own opinions here?
> Things like:
> Number of bugs posted against SELinux itself.
If you mean actual SELinux code (built in the kernel), it's a reasonably
simple thing, AFAIK. In a nutshell, it takes the label of the app trying to
gain some access, the label of the file being accessed, and looks up in a table
of rules (the policy) to see if the two are compatible. It isn't much different
than the permissions system or the firewall. I don't expect any serious number
of bugs reported against the code that implements that kind of thing.
If, however, you mean the SELinux policy, this is a moving target --- it
evolves and changes even without bug reports, so any potential number of
reported bugs would not be much useful as a meaningful piece of metric.
> Measured hours of effort to learn the system well.
That gives you all operational knowledge one typically needs when dealing with
SELinux. Of course, you can always invest more time and read a more elaborate
piece of documentation, if you wish.
But for a reasonably capable sysadmin, reading three man pages is not a
terrible effort, it can be done in less than one hour.
> Ratio of security breeches expected on systems that do/don't include
> SELinux. Lists of 3rd party apps that do/don't work with SELinux.
I wouldn't know the typical ratio itself as a number, but I can tell you it is
surely less than one. I had three identical systems compromised at the same
time (one of the users had a weak password, and he used the same password on
all three machines... you wouldn't believe...). Two systems had SELinux
disabled, the third one had it enabled. For the first two, intruder managed to
escalate to root and I had a busy weekend reinstalling those machines from
scratch afterwards. For the third one, the intruder never managed to escalate
to root, and this was clearly visible in SELinux and other system logs. I
simply purged that user account and had everything working in no time.
So in essence, there is at least one machine (that I know of first-hand) where
SELinux prevented a serious intrusion. Therefore, the do/don't ratio of
breaches is surely less than one. :-)
> Without those, it's all handwaving and if there aren't any real metrics
> it's fair to assume the value isn't worth the trouble you can expect.
If there aren't any real metrics, it's only safe not to assume anything. The
pain/gain ratio can only be estimated for each particular case separately. If
it doesn't give you too much pain, SELinux is certainly a good thing to have
around, in enforcing mode. :-)
More information about the CentOS