[lug] selinux
Rob Nagler
nagler at bivio.biz
Sun Jan 28 10:50:36 MST 2018
On Sat, Jan 27, 2018 at 5:40 PM, Alan Robertson wrote:
> There was a server on the Internet that was completely open that no one
> could become root on because of SELinux.
>
This statement may be true (no way to verify), but it's not saying anything
useful. You don't need to be root to get all the data off of a server,
which is probably all that's important. The Equifax hack, for example, was
an exploit of Tomcat/Struts which was presumably running as user apache. If
a server does anything useful (besides being a honey trap), and there is a
bug one of its services (which had rights to read data, which all useful
servers generally do), then SELinux is useless. SEL does not protect
against intrusions, just escalations.
I think SEL is misunderstood to the point that it is security theater. For
example, the typical instruction for people "stuck" with SEL is to:
# grep some-service /var/log/audit/audit.log | audit2allow -M some-service
# semodule -i some-service.pp
At that point, you have "fixed" SEL, but what that means, you have no idea.
Consider the nginx case a while ago, I wanted to open port 7000 so I did
the above magic, and realized that it enabled "gatekeeper_port_t", which I
would have thought was port 7000, but it isn't. It's two tcp and two UDP
ports:
# semanage port -l | grep gatekeeper
gatekeeper_port_t tcp 1721, 7000
gatekeeper_port_t udp 1718, 1719
Now, if you don't know better, you've just enabled some ports, which may or
may not matter. If I was relying on SEL (instead of iptables), then I would
have created a potential vulnerability. Do you know what port 1718, 1719,
and 1721 do? Me either.
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20180128/f20ef040/attachment.html>
More information about the LUG
mailing list