On Sunday 28 November 2010 19:18:29 cpolish at surewest.net wrote: > Hypothetical: one admins a vended suite of applications that comprise > an ERP. Many layers of management going all the way up to elected > Board members, and by implication the public, have spent $millions to > acquire, install, and augment it until it runs every aspect of the > business. A thousand staff members and 20,000 customers have > been trained to use the system. Major components (LDAP, email, database) > come from a Fortune 50 company that was assimilated by another Fortune 50 > company. Not one piece of the ERP comes in RPM form. [snip] > > > given to people on this list to turn off SELinux because some devs in > > > some company don't do their job right is also completely wrong. > > Perhaps completely wrong but also thoroughly entrenched, as explained > above. The point I was trying to make is just that disabling SELinux should be done only by exception rather than as a rule of thumb when configuring a server. Ditto for suggesting to others to disable it. Of course I agree that in some circumstances it is impossible or unneeded to run SELinux. One example is what you have described, another would be, say, an offline machine. If the machine is not connected to the Internet at all, disabling SELinux can bring a performance gain. I've seen this on a couple of clusters used for dedicated computations --- every bit of speed is important, while the machine is completely safe against remote intrusion... But for a generic server running generic services and facing the Internet, SELinux brings another layer of security, and is quite easy to maintain. > > don't believe it can be considered a panacea either. Even with SE in > > full protected mode, a simple SQL injection flaw can still expose much > > of the sensitive data on your server. > > An example: Crafty Person enters an account # as: > 9000' OR true > and for the sake of argument, this retrieves 20,000 customer > records. Does SELinux "do" anything? I suspect the answer is no. > Tends to support the proceeding argument (it's not a panacea). I agree. However, SELinux can prevent privilege escalation if any particular service or user on the system does get compromised. And this kind of damage limitation can be a life-saver when a mission-critical production server gets compromised (for example, by some user having a weak password, as happened to me on several occasions). So it is better to have SELinux running then not, unless you are absolutely forced to turn it off. And even then, there is permissive mode, which can be quite useful sometimes. Best, :-) Marko