On Sunday 28 November 2010 19:28:17 Les Mikesell wrote: > On 11/28/10 1:06 PM, Jorge Fábregas wrote: > > There has been a lot of progress with SELinux lately. I think you should > > reconsider your position and perhaps give it a try on the upcoming CentOS > > 6 where the targeted policy is much matured. > > SELinux has been around many years now. Are there any objective metrics we > can observe instead of having people rant about their own opinions here? > > Things like: > Number of bugs posted against SELinux itself. If you mean actual SELinux code (built in the kernel), it's a reasonably simple thing, AFAIK. In a nutshell, it takes the label of the app trying to gain some access, the label of the file being accessed, and looks up in a table of rules (the policy) to see if the two are compatible. It isn't much different than the permissions system or the firewall. I don't expect any serious number of bugs reported against the code that implements that kind of thing. If, however, you mean the SELinux policy, this is a moving target --- it evolves and changes even without bug reports, so any potential number of reported bugs would not be much useful as a meaningful piece of metric. > Measured hours of effort to learn the system well. man chcon man restorecon man semanage That gives you all operational knowledge one typically needs when dealing with SELinux. Of course, you can always invest more time and read a more elaborate piece of documentation, if you wish. But for a reasonably capable sysadmin, reading three man pages is not a terrible effort, it can be done in less than one hour. > Ratio of security breeches expected on systems that do/don't include > SELinux. Lists of 3rd party apps that do/don't work with SELinux. I wouldn't know the typical ratio itself as a number, but I can tell you it is surely less than one. I had three identical systems compromised at the same time (one of the users had a weak password, and he used the same password on all three machines... you wouldn't believe...). Two systems had SELinux disabled, the third one had it enabled. For the first two, intruder managed to escalate to root and I had a busy weekend reinstalling those machines from scratch afterwards. For the third one, the intruder never managed to escalate to root, and this was clearly visible in SELinux and other system logs. I simply purged that user account and had everything working in no time. So in essence, there is at least one machine (that I know of first-hand) where SELinux prevented a serious intrusion. Therefore, the do/don't ratio of breaches is surely less than one. :-) > Without those, it's all handwaving and if there aren't any real metrics > it's fair to assume the value isn't worth the trouble you can expect. If there aren't any real metrics, it's only safe not to assume anything. The pain/gain ratio can only be estimated for each particular case separately. If it doesn't give you too much pain, SELinux is certainly a good thing to have around, in enforcing mode. :-) Best, :-) Marko