[CentOS] SELinux - way of the future or good idea but !!!

Lamar Owen lowen at pari.edu
Tue Nov 30 22:01:43 UTC 2010


On Tuesday, November 30, 2010 01:22:53 pm m.roth at 5-cent.us wrote:
> Right - change *local* policy for every iteration.

On the servers I would of course put policy into revision control and build it into our customization package (I've built RPM's for a long time).  Then consistent contexts can get propagated across the ESX CentOS guests.

And policy doesn't have to be changed for every iteration, any more than ownership or file permissions have to be kept up to date for every iteration.

> I'm talking about the real, outside world, *not* my own personal system.
> ......
> As I said, I work in the real world with all this, and you seem to be
> arguing, based on your own personal experience that those of us in the
> workplace should do thus-and-so, and we're telling you what it's like in
> the trenches, and why we don't like selinux.

Well, Mark, I have always been an advocate of 'eating my own dog food' figuratively speaking.  If I, the CIO, can't get it to work on my personal system, then it's not likely going to work when deployed to production servers, either.  And since I delve into the trenches (fusion splicing fiber when needed, for that matter) nearly daily, fighting the ever present malware, the ever present spam tsunami, and the ever present risk of hacks (filled a /var/log partition one day; server VM template got an update after that to increase the size of that partition), I take a lot more rest when a known and proven security enhancement is working.  

Now, I'm not so naive that I'm going to say our systems aren't vulnerable; I'm sure some enterprising soul out there could probably break in, and then we'd have to clean up the mess; cost of doing business.  But every reasonable step to increase security is a step I'm willing to take; especially when the cost is small, in my production server farm, with the mix of applications we run.  YMMV.

The OP asked " Question is whether worth pursuing as SELinux is the way of the future. Or is SELinux a good idea that never really made it's way into the sun."

My opinion, and the opinion of Upstream (judging from the OOB setup), among many other studied opinions here on this list, is that the OP (Alison, I think?) should study SELinux, as it is most definitely going to increase in the future.  It's not going away, and falling back on permissive mode as the final operating state is just going ostrich on the problems out there.  

I truly do sympathize with your situation; the malicious attackers out there looking for a way in to every system they can get their grubby little paws on will not sympathize, and if the lack of SELinux support creates a hole, they will exploit it.  And I've read through some forum postings from you on your issues with SiteMinder; so I understand it's frustrating.  I do understand that. 

This thread has already, for me at least, futher reinforced the need to better understand the workings of SELinux; the documentation has improved a lot since I last read it, so now is the time to dig back in and see if some improvements have been made.  Because, no, it's not as easy as it should be, and, yes it can sometimes break in arcane ways (but so can KDE, or GNOME, or anything else).  But it is worth studying, which is the the answer I give to the OP's question.



More information about the CentOS mailing list