[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 16:52:46 UTC 2010
Lamar Owen <lowen at pari.edu>

On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
> Agreed, but not everyone has time to do both - or to learn lots of 
> distribution-specific details in mixed environments.  My opinion is that 
> doing the simple stuff first is a win.  And that works the same on 
> systems that don't include SELinux.

The simple stuff on the Fedora box with SELinux is using the targeted policy in enforcing mode.  Updates are easy, but there is always a lag from vulnerability discovery to vulnerability patching.

Security isn't simple.  The mantra 'just disable SELinux, you don't need it anyway because it's too big of a pain and apps that aren't part of the tested distribution can break' is oversimplifying a complex issue.  My opinion is that I'm not going to run third party apps that break in that way, and I'm going to let the developers know why.

> > SELinux is a powerful tool in helping combat zero day exploits from succeeding, in many cases.
> And it also keeps most 3rd party software from working. 

I'd ask you to qualify most.  All of the third-party software I run seems to run just fine, as long as the right contexts are applied.  The most difficult was Scalix, but that wasn't too difficult, since the culprit (the embedded PostgreSQL server running on a nonstandard port with a nonstandard file tree) had a fairly simple policy change to be done, thanks to permissive mode.

> If you are 
> storing credit card numbers or personal information that would be 
> expensive to leak, then you obviously need to make every effort possible 
> to block intrusion, although the people who regulate this stuff don't 
> require SELinux explicitly.  But not all machines do that.

If I use my laptop to do my online banking, then my browser cache, cookies, and other browser-stored data become critical.  Client-side data in this case, but no less critical.

> > I've run with SELinux in enforcing (targeted) mode on my laptop, now, since Fedora 11, and have only had two issues that required some head-scratching.  
> > 
> How much 3rd party software do you run where someone else has not 
> already spent the time to work out the policies needed to let it work?

A few things, and none were very hard to set up.  On the server side Scalix was the most difficult, but still not hard.