[CentOS] selinux on/off percentage

Mon Apr 2 14:10:01 UTC 2012
Lamar Owen <lowen at pari.edu>

On Monday, April 02, 2012 08:51:46 AM Les Mikesell wrote:
> Another statistic I'd like to see is how much admin time this costs on
> the average to learn and implement.   

No more than proper firewalling techniques cost, really.

> Has anyone really measured this?

Probably not.

>   Are there training courses specifically to cover it?   You might get
> an idea from the length and cost of the training if it covers all the
> quirks.   These days most of the built-in stuff is pre-configured for
> someone's idea of working (apache not being able to send mail doesn't
> match my definition, though...), but any third-party or local
> additions to a targeted service will take time to set up.

EL6 greatly improves the admin interface for SELinux with policycoreutils-gui as then all the booleans are quickly available (like the boolean that turns on or off httpd's ability to send e-mail (or connect to a network socket, etc)).  The booleans (at least most of them) are in EL5, but the interface isn't nearly as well documented (I know, many would like a TUI with the click boxes; maybe one is out there, maybe not; I'm not allergic to a remote GUI being available on a server).

The documentation for EL6 is better in this regard as well.  But, really, if you're having an issue with httpd getting 'access denied' things, then you can simply:
# getsebool -a |grep http

The booleans have reasonable, and readable, names that make sense, for the most part.  Find the boolean that controls the feature you want, and use setsebool to set it to on.

It's not hard, and the admin overhead once you're used to it is a few seconds at most.  It becomes another 'firewall-like' item to check off, really, as long as you do things at leat in a semi-standard way.

And ls-lZ is your friend, along with chcon.  It is one more step, but, honestly, it's not nearly as big a step as firewalling (ipchains/iptables) was ten/fifteen years ago.  At least not with EL6; but EL5U8 is better than EL5 GA was.

To the OP's question:  all but one of our CentOS boxen here have SELinux on, and in enforcing mode with either the targeted or the strict policies.  The strict policy is tough to get right, and is for special use servers on the DMZ, typically, with the targeted policy running everywhere else.  Including all the CentOS workstations we have, and even my Fedora laptop.  The one CentOS box with it on, and in permissive mode, soon will be in enforcing once I have the small amount of time necessary to work out the AVC's and set up the proper contexts. 

And SELinux has blocked a few attacks at this point for which there weren't yet patches; in other words, SELinux saved me from having to reimage servers that would have been pwned had SELinux not been running.  I can't give more detail than that due to NDA, sorry.

Again, compared to all the options firewalls give you (connection tracking, DPI, UDP versus TCP ports versus IP protocol numbers versus non-IP protocols versus IP flags versus.....) SELinux is not hard to configure from the admin's point of view.  Now, from the application developer point of view, things are different.  But, there again, it really boils down to making sure the files you create have the proper context, and writing policy to fit your access pattern. 

Increasing system security is not easy, and it takes time to do correctly, but it needs to be done in today's internet environment.