[lug] Re: SELinux

Kevin Fenzi kevin at scrye.com
Sat Mar 11 16:34:40 MST 2006


>>>>> "David" == David L Anselmi <anselmi at anselmi.us> writes:

David> Sean Reifschneider wrote:
>> On Sat, Mar 11, 2006 at 10:10:57AM -0700, David L. Anselmi wrote:
>>> I'm disappointed the selinux is being added to Linux distros.  It
>>> would be nice if it was a package you could install separately.
>> For SELinux to be able to work, it has to be fairly invasive.

David> I figure as much.  But I'm an idealist and it would be nice if
David> there were a way to leave it out altogether.  And especially to
David> make sure it doesn't get turned on without being very clear to
David> the user how to deal with it to avoid things like:

David> http://www.tummy.com/journals/entries/kevin_20050614_113430

Sure, how about: 

- Boot with 'selinux=0' kernel option. 
- change /etc/sysconfig/selinux to say 'disabled'
- run 'system-config-security' and use the GUI to enable/disable or
modify the policy. 

It's pretty easy to disable (which is good). I think if it wasn't
being pushed by fedora it wouldn't be getting better at such a fast
rate. 

FYI, I am currently running my laptop with selinux enabled in
'enforcing' mode, and everything is working fine. I would expect with
the fc5 changes to the selinux policies, even more folks should be
able to leave it on. 

David> The kernel and filesystems may support it without having to
David> actually load the modules or use the file attributes.  But
David> maybe not.

David> [...]

Alas, the security hooks are too integrated into the kernel itself for
it to work with modules. 

>> I imagine that you don't really understand it if you don't think it
>> provides any value...  Out of the box on FC4/CentOS4 with it set to
>> "Enforcing", it will entirely block web-based attacks like the
>> awstats exploit that has been so popular lately.  It also allows
>> you to do even more advanced things like Kevin has done with his
>> firewall -- the "root" user is just a regular user with no
>> additional privs.

David> It's not that I don't understand it, I just don't need the
David> features.  So to me it doesn't make my systems better or easier
David> but takes time to learn and configure.  

Well, you don't need more security until someone compromises your
machine, then you wish you had it. ;) 

It would be ideal if selinux was totally transparent for the regular
user, but still blocked attackers. 

David> Fortunately whatever
David> Debian is doing with it hasn't broken anything.

I'm not a Debian developer, but I think what they are doing with
selinux is not much. It's not enabled or setup at all as far as I
know. (I'd love to hear diffrently). 

One thing that I think is bad about selinux is that it's currently
being pushed by Fedora and they are pretty much doing most if not all
of the development on it. It would be much better if it was used by
other distros as well... 

David> Really I'm curious what people are using SELinux for that make
David> them value it (and saying "I can't imagine a use for..." seems
David> to be a pretty good way to get replies ;-)

it's an additional security measure, making your systems harder to
compromise. Whats the use for a deadbolt on your door? It makes it
harder to open your door, and it's anoying, so many people might just
never set it, but for those that want the additional security it's
nice that it's built in. 

:)

kevin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20060311/b07e9067/attachment.pgp>


More information about the LUG mailing list