"Who's afraid of SELinux? Well, if you are, you shouldn't be! Thanks to the introduction of new GUI tools, customizing your system's protection by creating new policy modules is easier than ever. In this article, Dan Walsh gently walks you through the policy module creation process."
To read all comments associated with this story, please click here.
Member since:2005-11-14
Member since:2006-08-18
Member since:2005-12-15
That doesn't really wash with me. This seemingly endless blabber that all things Linux are more secure than all things Microsoft has been shown to be wrong time and time again. That doesn't mean the reverse is true either.
Take a look at the security analysis and patch levels and you'll see that even though Microsoft do have critical patches, so does Linux, Solaris, MacOS and so on.
The suggestion that the NSA "wrote" SELinux doesn't imply that it's secure. Security comes through proof. I'm sure all the pro-Linux, anti-Microsoft chaps will stand up right about now and proclaim that Microsoft has a very poor record.. this is true, I wouldn't disagree with that.
What I would disagree with is, is the implication that an NSA born Linux is secure, just because, and that somehow Microsoft's poor record gives SELinux the gold star award for security.
Edited 2007-08-22 00:33
Member since:2005-07-08
Its because so few distributions include even basic support for it out-of-the box.
Just about every distribution includes basic support for SELinux. The problem is that basic support for SELinux is useless. Any package that include a binary needs an SELinux policy, and the policy is highly distribution-specific. SELinux is a major commitment on the part of a distribution project.
SELinux isn't something you drop into a Linux system to make it more secure. It's a firewall that coats the boundaries between all of the internal software components of the system. Every interaction between applications, users, and resources falls under its jurisdiction. Every little piece of your system has to be SELinux-aware or your system won't work as desired.
So you're absolutely right. It isn't so much that people (i.e. users and admins) are afraid. It's distributors that are afraid. SELinux is a QA nightmare. It's the antithesis of the "just works" experience that most Linux distributors are trying to provide. It's dependency hell all over again, except now it's policy hell.
Basic support? SELinux is an all-or-nothing proposition. You either dive in headfirst and provide comprehensive and sane default policies for all of your supported packages, or you decide that it's not in the best interests of your target market. Don't try to find a middle ground. You're either an SELinux distribution or not.
A desktop Linux user needs a firewall, but she doesn't need SELinux any more than she needs RAID5 with a hot spare. Even AppArmor is arguably overkill for a personal server. Leave SELinux where it belongs: in the enterprise.
Edited 2007-08-22 00:25
Member since:2006-08-18
Butters,
You don't need to give me a lectures on SELinux. I know what it is and how it works.
SELinux or simular is needed if being secured requires having Mandatory Access Control. Microsoft has raised the bar by including MAC via UAC, so Linux needs to embrace it as well. Posix ACLs are another area where *nix needs better coverage. ACLs provide finer tuned file and directory permissions over basic Unix style permissions.
Fedora and RHEL have a sane implementation: targeted policy with few disturbances when using the provided troubleshooting tool and configuration tool. The key is to enable Enforcing mode and at least tweaking the memory protection boolean options a bit for better coverage. Since the targetted policy only covers certain critical apps and daemons, its important to enable restrictions for broader coverage.
Edited 2007-08-22 00:45
Member since:2005-11-05
http://james-morris.livejournal.com/21473.html SELinux blocks Apache DoS
http://danwalsh.livejournal.com/10131.html SELinux prevents Samba vulnerability
http://www.linuxjournal.com/article/9176 SELinux blocks Mambo exploit
http://secunia.com/cve_reference/CVE-2006-3626/ 0day Linux kernel vulnerability that is blocked by SELinux in RHEL and Fedora.
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/att-0... Previous link exploit code for you to try out on an SELinux enabled redhat box.
SELinux belongs in places where security is important.
After you've done a few post mortem forensic analysis's on hacked servers, your mind might change.
Note that pretty much all of my boxes run SELinux in some form or fashion.
Member since:2005-07-06
A desktop Linux user needs a firewall, but she doesn't need SELinux any more than she needs RAID5 with a hot spare. Even AppArmor is arguably overkill for a personal server. Leave SELinux where it belongs: in the enterprise.
A firewall is just a tiny piece in the security chain. Imho proactive security measures could save your day. If only on one occasion. Fedora has really a lot of experience with SELinux and managed to get fc7 with an enforcing targeted policy on the road that works no different from any other distro. Fedora core 7 even includes a policy for netscape browsers (firefox and co) and mozilla thunderbird.
You're right that SELinux can be a burden for any distro that starts implementing this advanced security mechanism. Isn't that the case for anything complicated you begin to explore? Redhat has done the walk and it's quite impressive how good they have managed the default policies.
Most mallware enter ones system through any web browser or an e-mail message. A firewall will not help you if malignent code sends messages hidden in udp 53 or icmp or tcp 80 fragments. Unless you disconnect the box from the network altogether.
Member since:2006-04-28
Just a few days ago someone introduced a simplified alternative to SELinux: SMACK - Simplified Mandatory Access Kernel. Obviously there are no plans yet to merge it, but it looks like a good a approach for those looking for something easier to implement than SELinux.
http://lkml.org/lkml/2007/8/11/95
Member since:
2006-08-18
Its not so much that people are afraid.
Its because so few distributions include even basic support for it out-of-the box.
You pretty much need RHEL, Fedora, or simular to get decent support.
This should definitely change, however. Until they do, MS bloggers will keep expelling their FUD about Windows security v.s. *nix.