[lug] SELinux

Mike mikedawg at gmail.com
Sun Jan 28 16:06:38 MST 2018


And for the bad email etiquette, I apologize. But the website mentioned
earlier:  https://www.coker.com.au/selinux/play.html

On Sun, Jan 28, 2018 at 4:03 PM, Mike <mikedawg at gmail.com> wrote:

>
>>
>> Has anyone actually seen selinux block an external attack?  I ask mostly
>> because it's bloatware and reconfiguring it takes forever (likely due to
>> being hard written to the kernel.  Thanks
>> mad.scientist.at.large (a good madscientist)
>> --
>> God bless the rich, the greedy and the corrupt politicians they have put
>> into office.   God bless them for helping me do the right thing by giving
>> the rich my little pile of cash.  After all, the rich know what to do with
>> money.
>>
>> Message: 2
>> Date: Sat, 27 Jan 2018 17:40:08 -0700
>> From: Alan Robertson <alanr at unix.sh>
>> To: mad.scientist.at.large at tutanota.com, lug at lug.boulder.co.us
>> Subject: Re: [lug] selinux
>> Message-ID:
>>         <1517100008.1647334.1250439216.732250C0 at webmail.messagingeng
>> ine.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> There was a server on the Internet that was completely open that no one
>> could become root on because of SELinux.
>> --
>>   Alan Robertson
>>   alanr at unix.sh
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Sun, 28 Jan 2018 10:50:36 -0700
>> From: Rob Nagler <nagler at bivio.biz>
>> To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>>         <lug at lug.boulder.co.us>
>> Subject: Re: [lug] selinux
>> Message-ID:
>>         <CAJB=V00Q=jyzFHYq7bRNsAN303x66Ff+_JbfasOyDUb1uPDmLw at mail.gm
>> ail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> On Sat, Jan 27, 2018 at 5:40 PM, Alan Robertson wrote:
>>
>> > There was a server on the Internet that was completely open that no one
>> > could become root on because of SELinux.
>> >
>>
>> This statement may be true (no way to verify), but it's not saying
>> anything
>> useful. You don't need to be root to get all the data off of a server,
>> which is probably all that's important. The Equifax hack, for example, was
>> an exploit of Tomcat/Struts which was presumably running as user apache.
>> If
>> a server does anything useful (besides being a honey trap), and there is a
>> bug one of its services (which had rights to read data, which all useful
>> servers generally do), then SELinux is useless. SEL does not protect
>> against intrusions, just escalations.
>>
>> I think SEL is misunderstood to the point that it is security theater. For
>> example, the typical instruction for people "stuck" with SEL is to:
>>
>> # grep some-service /var/log/audit/audit.log | audit2allow -M some-service
>> # semodule -i some-service.pp
>>
>> At that point, you have "fixed" SEL, but what that means, you have no
>> idea.
>> Consider the nginx case a while ago, I wanted to open port 7000 so I did
>> the above magic, and realized that it enabled "gatekeeper_port_t", which I
>> would have thought was port 7000, but it isn't. It's two tcp and two UDP
>> ports:
>>
>> # semanage port -l | grep gatekeeper
>> gatekeeper_port_t              tcp      1721, 7000
>> gatekeeper_port_t              udp      1718, 1719
>>
>> Now, if you don't know better, you've just enabled some ports, which may
>> or
>> may not matter. If I was relying on SEL (instead of iptables), then I
>> would
>> have created a potential vulnerability. Do you know what port 1718, 1719,
>> and 1721 do? Me either.
>>
>> Rob
>>
>
> I'm a huge fan of SELinux, and definitely recommend that anyone out there
> in the "open" world should be running SELinux.
>
> So, to sort of address the info that  Rob placed out there, his example,
> was specifically dealing with ports. Sure, if you open up ports on SELinux,
> just like iptables, you're opening that area of "attack". But even beyond
> ports, there are file and directory permissions put out by SELinux that are
> just as valuable. Only the right context of user should be able to open up
> files in /var/www? Sounds great, you just prohibited an attacker, logging
> into your machine as "RandomRarelyUsedServiceAccount" unable to
> download/manipulate the files for apache, in /var/www.
>
> This is purely skimming the top-most layer of SELinux, but the amount of
> security it provides is very useful.
>
> NOTE: Not that it matters in this conversation, or anything, but I will
> throw it out there, that I work for RH, so maybe that accounts for some of
> my pro-SELinux sentiment.
>
>
> --
> Mike
>



-- 
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20180128/2f24f3a9/attachment.html>


More information about the LUG mailing list