[Novalug] Selinux: to disable or not
James Ewing Cottrell 3rd
JECottrell3 at Comcast.NET
Thu Mar 15 19:16:05 EDT 2012
On 3/14/2012 9:45 AM, Peter Larsen wrote:
> On Mon, 2012-03-12 at 09:35 +0000, jecottrell3 at comcast.net wrote:
>> Methinks you are a tad optimistic. I think Very Few people actually take the time to understand it.
> Methinks not ;) At least not with the system administrators I talk to.
Then we obviously run in different circles.
> SELinux has more than 10 years behind it now. It is and should be part
> of any server installation you use; and with Fedora I'm even having no
> problems running desktop things with SELinux enabled too.
It is getting better...less intrusive...I will give you that.
> I cannot speak
> to Ubuntu or Arch - personally I think it would be a big mistake by not
> including nor enabling SELinux in any distribution these days.
Include it sure...turning it on is another thing entirely.
>> However...I have progressed to the point of running it in Permissive mode rather than Disabled.
> Then why have it at all?
Yup. I can claim that I am "using" it, but it doesn't get in my way. And
if it starts squawking, I can look for trouble.
> This is like declaring, that you're using file
> security settings, but you always login as root to turn them off in
> runtime mode?
Many production servers only have root, or generic users for web
servers. People ssh into them as root and the SAs have their public keys
in /root/.ssh/authorized keys. No user accounts on servers...not even SAs.
> The whole point of SELinux is to stop unplanned/uknown features to be
> utilized on your system - not to allow backdoors to be installed that
> could compromise your system.
This doesn't worry me. And besides...it's just another door to compromise.
> Personally I'm getting a bit tired of the argument that this "new thing"
> isn't needed.
Well, clearly it is no longer new. But remember...people resist what
they don't like. Remember how many people kept running SunOS 4 instead
of switching to Solaris?
> There's good reason that the DoD requires it, and quite
> frankly every large installation of Linux that I know of, requires it
.GOV is seriously paranoid these days...way too restrictive...not a fun
environment to work in anymore.
> Just as they require firewalls, file based security and other
> security features we almost take for granted with Linux these days.
Next you'll be wanting to use ACL's too.
> Basic SELinux is not that hard to learn. We've got plenty of tools that
> makes basic trouble-shooting a breeze.
Maybe...but what does it really buy me? Going from 98% Secure to 99%
Secure doesn't thrill me.
I am totally happy with "I'm Root and You're Not". That's all the
Security I need. Simple to understand, simple to use.
Oddly enough, I do like Capabilities tho.
More information about the Novalug