[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 21:13:00 UTC 2010
Marko Vojinovic <vvmarko at gmail.com>

On Tuesday 30 November 2010 19:04:12 Benjamin Franz wrote:
> On 11/30/2010 10:42 AM, Lamar Owen wrote:
> > It boils down to balancing 'it breaks my app that I can't or won't fix'
> > against 'you've been pwned!'
> 
> Actually, it boils down to 'what causes more total costs to the
> business'. Right now, in my experience, that is SELinux. Break ins to my
> servers are extremely rare (one machine out of several dozen internet
> exposed machines in 13 years). SELinux randomly taking out some aspect
> of operations is fairly frequent in comparison (several incidents on
> just the handful of machines I have that it was left active on).
> 
> Security in not an end unto itself. It exists to support the business
> making money. If a cost saving measure is costing the business more than
> it is saving it, it is *not* a good idea no matter how technically
> superior it is.

That may be the case at the moment. But in the future you can expect that 
quality (of SELinux) will eventually outperform quantity (of software that 
doesn't support it).

Computer power is always growing, and we saw a post on this very list the 
other day about someone using a 5 bucks-per-hour (or so) Amazon cloud to 
easily crack passwords by brute force. One can expect that the number and 
severity of intrusions is going to rise in the future, and conventional 
security measures will not be enough for much long. When that time comes, you 
(as a sysadmin of some big corporation with a lot of in-house and third-party 
code running mission-critical stuff) will *want* SELinux, and you will *want* 
all that custom software to be SELinux compliant.

So at the moment SELinux might seem like a waste of sysadmin precious time and 
effort, but it is actually a wise investment to make. The sooner you learn how 
to make your system work with it, the better.

And developers of non-SELinux-compliant software will sooner or later find 
themselves under pressure to become compliant. Look what happened to oil 
industry --- they were actively supressing any R&D of alternative fuel sources 
for several decades, because it could grow to become competition for the oil 
money-making. And now, when the oil is running out, that same industry is 
investing an ever larger amount of money for that same R&D in order to save 
themselves from disaster.

Quantity cannot successfully suppress quality, not forever. It is always a 
Good Idea(tm) to embrace quality sooner, because it is an investment that will 
give you an edge later on.

Of course, managers and other people focused solely on money-making cannot (or 
don't want to) see anything beyond the next fiscal period, like governments and 
the election period. That kind of thinking is bound to fail at some point or 
produce big losses in order to survive (stockmarket crises? wars?). But 
sysadmins can choose not to be ignorant in this matter, so my advice is --- 
learn to use SELinux today, it will make your life easier tomorrow. ;-)

P.S. I am just waiting for the day when SELinux is going to become locked in 
enforcing mode by the kernel developers, much as the traditional permissions 
system is a mandatory thing right now. :-D

Best, :-)
Marko