selinux & external threats - Security

This is a discussion on selinux & external threats - Security ; I have heard that the main use of selinux is to protect from threads internal to the box, usually from users, and that with regard to external threats to such things as an e-mail server or a web server, it ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: selinux & external threats

  1. selinux & external threats

    I have heard that the main use of selinux is to
    protect from threads internal to the box, usually
    from users, and that with regard to external
    threats to such things as an e-mail server or
    a web server, it is of little or no use.

    Is this true?

    Thanks for your help.
    Mike.


  2. Re: selinux & external threats

    Mike - EMAIL IGNORED wrote:

    > I have heard that the main use of selinux is to
    > protect from threads internal to the box, usually
    > from users, and that with regard to external
    > threats to such things as an e-mail server or
    > a web server, it is of little or no use.
    >
    > Is this true?
    >


    There are only so many bad things you can do to a box without gaining access
    to it as a user. Even before that, since daemons run with the privileges of
    a user MAC can provide better segmentation and limit exposure to certain
    types of attack.

    In this case I'd say if you didn't already know the answer to that question,
    then there's a lot of other answers you should be learning before setting
    up selinux on your box.

    C.

  3. Re: selinux & external threats

    Colin McKinnon (06-03-23 00:09:39):

    > > I have heard that the main use of selinux is to protect from threads
    > > internal to the box, usually from users, and that with regard to
    > > external threats to such things as an e-mail server or a web server,
    > > it is of little or no use.
    > >
    > > Is this true?

    >
    > [...]
    >
    > In this case I'd say if you didn't already know the answer to that
    > question, then there's a lot of other answers you should be learning
    > before setting up selinux on your box.


    And to answer the question: it's not entirely useless, but other
    projects have been created specifically for the protection from the
    outside. In particular, grsecurity is one good
    starting point.

    However, in most cases a proper set of packet filtering rules does
    suffice. Those packages are only for cases where you need extreme
    configurability, or where a service running on the host is vulnerable.
    PaX for example protects from almost any stack- oder heap-based attack
    against vulnerable services. They are still going to crash, but the
    attacker doesn't gain access to the system.

    SELinux on the other hand is for purposes, where you need access
    control. As Colin said, it's mainly for protection against local
    attackers, which already have some access privileges on that host.


    Regards.

+ Reply to Thread