What do people think about SELINUX? pros and cons - Redhat

This is a discussion on What do people think about SELINUX? pros and cons - Redhat ; Usually most things in Linux are very structured and make a lot of intuitive sense. But I've never really gotten the hang of "SELINUX" and I was just wondering if it was just me or do other people share the ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: What do people think about SELINUX? pros and cons

  1. What do people think about SELINUX? pros and cons

    Usually most things in Linux are very structured and make a lot of
    intuitive sense. But I've never really gotten the hang of "SELINUX" and I
    was just wondering if it was just me or do other people share the
    feeling?

    I tried googling up the stuff several times but it just feels way too
    complicated for me. Permissions (perhaps more granular permissions as in
    AFS) work well for me and I never perceived a need for "contexts". Do
    people use them a lot? Perhaps its just because I'm on a "toy-system" and
    the critical production servers use it? Or not?

    Or is it just that the implementation is so difficult that people are
    tempted to "setenforce 0".

    Is SELINUX more pushed by a particular distro (I'm on RHEL)? How big is
    the downside to turning SELINUX off (as I have! ) A serious security
    blunder? Or not?

    Just trying to develop a taste for SELINUX....but has been hard so far!

    --
    Rahul

  2. Re: What do people think about SELINUX? pros and cons

    Rahul wrote:

    > Usually most things in Linux are very structured and make a lot of
    > intuitive sense. But I've never really gotten the hang of "SELINUX" and I
    > was just wondering if it was just me or do other people share the
    > feeling?


    I believe the learning curve /is/ steep for SELinux...

    >
    > I tried googling up the stuff several times but it just feels way too
    > complicated for me. Permissions (perhaps more granular permissions as in
    > AFS) work well for me and I never perceived a need for "contexts". Do
    > people use them a lot? Perhaps its just because I'm on a "toy-system" and
    > the critical production servers use it? Or not?
    >
    > Or is it just that the implementation is so difficult that people are
    > tempted to "setenforce 0".
    >
    > Is SELINUX more pushed by a particular distro (I'm on RHEL)?


    Have you googled?

    How big is
    > the downside to turning SELINUX off (as I have! ) A serious security
    > blunder? Or not?


    How important is security with your system in mind?

    >
    > Just trying to develop a taste for SELINUX....but has been hard so far!
    >


    Hello to All:

    I suppose I'm a product of my environment so when I saw the early talk
    about SELinux being introduced into RHEL, I looked forward to it.

    In a previous life, I worked for an employer that spent lots of U.S.
    tax dollars. During my tenure, we saw quite a varied assortment of
    Internet based attacks that even crippled our systems. So even if a
    potential attacker were to gain access to our RHEL boxes, I was hopeful
    that SELinux, and other hardening actions, would limit or protect us
    from damage.

    I run SELinux “enforcing” and “targeted” and I'm considering going
    from “targeted” to “strict” as a test.

    One of the applications I've seen trouble with is “Google Earth”. Even
    then, I wrote a script to correct eleven SELinux reported errors I see
    when I've upgraded “Google Earth”. The other is clamav, but I've seen
    none lately.

    Two other products, from the NSA, are publications released to the
    public that deal with the hardening of RHEL 5:

    A blurb on SELinux here:


    Four pages of SELinux enlightenment here:


    Not all system administrators can implement everything in the above
    publications. However, much is very helpful.

    I realize that SELinux tries to help keep users and their applications
    from violating security policies within the OS. We also know that
    poorly written applications can cause SELinux to make things difficult
    for administrators and users. But, SELinux can also help keep hackers
    from doing damage and accessing files.

    If you've recently updated RHEL from 5.1 to 5.2, then the new SELinux
    policy files might make life easier. (or not)

    My $0.02USD.

    My best to all.

    --
    1PW

    @?6A62?FEH9E=6o2@=]4@> [r4o7t]

  3. Re: What do people think about SELINUX? pros and cons

    On Wed, 02 Jul 2008 01:51:38 -0700, 1PW wrote:

    >But, SELinux can also help keep hackers
    >from doing damage and accessing files.


    How exactly does it do that in a way that ordinary
    permissions or security on "vanila" linux don't?

    Tony



  4. Re: What do people think about SELINUX? pros and cons

    On Wed, 02 Jul 2008 13:52:03 +0100, Tony wrote:
    >
    > How exactly does it do that in a way that ordinary
    > permissions or security on "vanila" linux don't?


    Some light reading found here
    http://fedoraproject.org/wiki/SELinux

  5. Re: What do people think about SELINUX? pros and cons

    Tony wrote:
    > On Wed, 02 Jul 2008 01:51:38 -0700, 1PW wrote:
    >
    >> But, SELinux can also help keep hackers
    >>from doing damage and accessing files.

    >
    > How exactly does it do that in a way that ordinary
    > permissions or security on "vanilla" linux don't?
    >
    > Tony
    >
    >


    Hello Tony:

    I believe that in any group of computer users, the meaning of security
    has different definitions. However, the policy enforcements and the
    reporting are certainly the strong issues for me. Permissions are a
    wonderful idea and coupling that with reporting has allowed me to see
    that a few applications would benefit from security enhancements.

    Others can state it with much more eloquence:



    To the overburdened system administrator that disables SELinux at the
    first sign of trouble, I understand. Promise yourself to come back
    and seek a solution soon after. If one has it on their system, and
    not turned on, I'd encourage them to try it. Even if it means
    changing to 'Permissive' mode. Pursue the alerts as time permits.

    Recently, I gamma tested a Linux based administrative application, that
    when executed, caused several thousand SELinux alerts before
    completion. I contacted the author, and now hopefully the issue is
    being be looked at. That application has a wonderful premise but
    hadn't been tested on many platforms.

    I use SELinux on our household, cable based ISP, system. I see between
    200 & 300 probes at my ports per day. Yes - I do rely on my firewall
    rules for protection. Yes, the probes are mostly looking for Windows
    vulnerabilities. Am I using anti-virus protection too? Yes. Will my
    luck run out one day? Perhaps. That's when I hope my numerous
    hardening measures will foil intrusion.

    As long as I see ongoing improvements (2 updates by the NSA this year),
    I'm going to try and benefit through SELinux.

    How say you?
    --
    1PW

    @?6A62?FEH9E=6o2@=]4@> [r4o7t]

  6. Re: What do people think about SELINUX? pros and cons

    On Wed, 02 Jul 2008 14:20:25 -0700, 1PW wrote:

    >As long as I see ongoing improvements (2 updates by the NSA this year),
    >I'm going to try and benefit through SELinux.
    >
    >How say you?


    As long as I see improvements I know the software was badly designed in the
    first place and bodging more "fixes" can only make matters worse -

    what I say is its time we started holding OS companies responsible for their
    appaling software and financially responsible for security flaws.

    In no time flat they WILL fix it because it can be done. I suggest a class
    action or two.

    Until then they are going to keep spitting out the same OS every 2 years
    with different pretty front ends on and pretend its something "new" and
    everyone stupid enough to do so will go on buying it because they keep
    on seeing "fixes"

    It isnt acceptable any more. It can be done and must be done right - first time
    on time every time.

    Make them financially responsible. And it will be.

    As far as linux is concerned - its time all but maybe 2 flavours were shut down
    and the whole mess re-designed to make it useful. It shouldn't be too hard if
    the will was there. (Right now it is hardly useful for anything but web serving
    - dont take my word for it - go ask Red Hat)

    In the short term - now I've had chance to look I'm thinking maybe I should go
    back to windows. Probably an early version like the terminal I'm using now.

    SElinux is a bridge (or bodge) too far for me.

    You asked.
    Sorry - bad day - so you got it undiluted.

    Tony







+ Reply to Thread