[CentOS] SELinux - way of the future or good idea but !!!
vvmarko at gmail.com
Tue Nov 30 21:13:00 UTC 2010
On Tuesday 30 November 2010 19:04:12 Benjamin Franz wrote:
> On 11/30/2010 10:42 AM, Lamar Owen wrote:
> > It boils down to balancing 'it breaks my app that I can't or won't fix'
> > against 'you've been pwned!'
> Actually, it boils down to 'what causes more total costs to the
> business'. Right now, in my experience, that is SELinux. Break ins to my
> servers are extremely rare (one machine out of several dozen internet
> exposed machines in 13 years). SELinux randomly taking out some aspect
> of operations is fairly frequent in comparison (several incidents on
> just the handful of machines I have that it was left active on).
> Security in not an end unto itself. It exists to support the business
> making money. If a cost saving measure is costing the business more than
> it is saving it, it is *not* a good idea no matter how technically
> superior it is.
That may be the case at the moment. But in the future you can expect that
quality (of SELinux) will eventually outperform quantity (of software that
doesn't support it).
Computer power is always growing, and we saw a post on this very list the
other day about someone using a 5 bucks-per-hour (or so) Amazon cloud to
easily crack passwords by brute force. One can expect that the number and
severity of intrusions is going to rise in the future, and conventional
security measures will not be enough for much long. When that time comes, you
(as a sysadmin of some big corporation with a lot of in-house and third-party
code running mission-critical stuff) will *want* SELinux, and you will *want*
all that custom software to be SELinux compliant.
So at the moment SELinux might seem like a waste of sysadmin precious time and
effort, but it is actually a wise investment to make. The sooner you learn how
to make your system work with it, the better.
And developers of non-SELinux-compliant software will sooner or later find
themselves under pressure to become compliant. Look what happened to oil
industry --- they were actively supressing any R&D of alternative fuel sources
for several decades, because it could grow to become competition for the oil
money-making. And now, when the oil is running out, that same industry is
investing an ever larger amount of money for that same R&D in order to save
themselves from disaster.
Quantity cannot successfully suppress quality, not forever. It is always a
Good Idea(tm) to embrace quality sooner, because it is an investment that will
give you an edge later on.
Of course, managers and other people focused solely on money-making cannot (or
don't want to) see anything beyond the next fiscal period, like governments and
the election period. That kind of thinking is bound to fail at some point or
produce big losses in order to survive (stockmarket crises? wars?). But
sysadmins can choose not to be ignorant in this matter, so my advice is ---
learn to use SELinux today, it will make your life easier tomorrow. ;-)
P.S. I am just waiting for the day when SELinux is going to become locked in
enforcing mode by the kernel developers, much as the traditional permissions
system is a mandatory thing right now. :-D
More information about the CentOS