[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 16:30:55 UTC 2010
Paul Heinlein <heinlein at madboa.com>

I'll add to the large (often interesting, but large nonetheless) pile 
of messages in this thread by remarking that even in permissive mode, 
SELinux can be very useful as an audit tool.

Those AVC messages folks love to hate show deviations from expected 
behavior. Sometimes those deviations are false positives and require a 
policy adjustment or relabeling. Sometimes, however, they show in 
great detail exactly what an exploited vulnerability did (or tried to 
do): read or replace files, open TCP ports or sockets, create and 
populate directories.

A while back, someone exploited a vulnerability on a machine in my 
care. I'd been having trouble getting other apps on that machine to 
work and play well with SELinux so I had it running in permissive 
mode. Using the audit logs, I was able to ascertain with a high degree 
of confidence the extent of the damage -- using information that would 
have been unavailable but for SELinux.

Of course, the exploit wouldn't have been possible if I'd been running 
SELinux in enforcing mode... :-)

Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/