[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 16:29:31 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 11/29/2010 10:17 AM, Lamar Owen wrote:
> On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
>> But that means you were running software with vulnerabilities or a user would
>> not be able to become root anyway.  Is that due to not being up to date (i.e.
>> would normal, non-SELinux measures have been enough), or was this before a fix
>> was available?
>
> By definition we are all running software with vulnerabilities.  Those vulnerabilities may not be public knowledge yet, but they are there, and many are likely known by the blackhats already, and kept 'mum.'
>
> Fixing vulnerabilities and keeping up to date alone is insufficient to keep you secure.  Can you say 'zero day?'

Agreed, but not everyone has time to do both - or to learn lots of 
distribution-specific details in mixed environments.  My opinion is that 
doing the simple stuff first is a win.  And that works the same on 
systems that don't include SELinux.

> SELinux is a powerful tool in helping combat zero day exploits from succeeding, in many cases.

And it also keeps most 3rd party software from working.  If you are 
storing credit card numbers or personal information that would be 
expensive to leak, then you obviously need to make every effort possible 
to block intrusion, although the people who regulate this stuff don't 
require SELinux explicitly.  But not all machines do that.

> I've run with SELinux in enforcing (targeted) mode on my laptop, now, since Fedora 11, and have only had two issues that required some head-scratching.  One was solved by a relabel.  The other was a little more devious, but a little tweaking which in permissive mode showed me the solution.  I did learn a couple of really good lessons from that, though.  The first was to always keep a Fedora Live boot media with the laptop (CD or USB, or another partition on the hard disk).  The second was that there are some updates that must occur in pairs, and occasionally a relabel of at least part of the filesystem is going to be required. But that's not hard to trigger, and isn't that inconvenient.

How much 3rd party software do you run where someone else has not 
already spent the time to work out the policies needed to let it work?

-- 
   Les Mikesell
    lesmikesell at gmail.com