My experience is that SELinux gets in the way far more than it helps. I'll be the first to admit I'm hardly a pro with the tool. However I do have some serious doubts as to the efficacy of a tool that blocks a daemon's behavior that was given explicity consent to start and run by root. In my opinion SELinux is the TSA of the admin world.
I'll detail an example. When I was in Ecuador I setup a VOIP system for a community that had cheap broadband but super expensive phone service. CentOS was the logical choice for a server and I built the thing on top of Asterisk. Asterisk is a well known app. It does certain things and there is a specific reason for it doing what it does. Everyone who runs an asterisk box pretty much has to already know what it's doing and why or at least be trying to learn. Nevertheless, nothing I could find would allow it to start. Period. I tried everything and that includes coming on this list and starting the last argument we had on SELinux because thanks to you guys I was able to figure out that SELinux was what was preventing it from running. The solution at that time was to disable SELinux, or at least tell it to allow this process to do whatever it wants. Thus if asterisk were to be compromised, SELinux would let it do whatever it wants. Which in my mind is the exact same thing as not having SELinux at all. A tool like SELinux really needs to be more intelligent. Adding a "study what this process does" mode and allowing it to learn the norms of the process would in my mind justify the hassle of going in and telling it "yeah sorry daemonX was supposed to be able to do that particular thing" on the rare occasion that a daemon does change behavior by design. Think about it the same as SSH. When you connect to a server for the first time you get a warning "This server's fingerprint is untrusted". If you allow it to connect then from there on out it allows you to connect until the cert changes at which time it starts denying until you force it to accept again. Until SELinux smartens up a bit, I think I'll continue to use an airgap as the best security measure and where that isn't practicle, keep seperate business processes on seperate physical boxes and tied only in as much as they actually need to communicate with one another. As to your analogy about a house door, SELinux doesn't do anything of the sort. You're analogy would be more akin to SSH and passwords vs certs argument we've got going on in the other thread. A better analogy would be along the lines of, "Do I really want to my paranoid schizophrenic uncle who is also really smart, but lives in the attic, tossing out my house guests each time they try to run upstairs to go to the bathroom?" On Thu, Feb 6, 2014 at 11:47 AM, Levi Pearson <[email protected]> wrote: > On Thu, Feb 6, 2014 at 11:18 AM, S. Dale Morrey <[email protected]> > wrote: > > Process was running as an unpriviledged user. > > I'm guessing SELinux might have helped but in as we discussed before I > make > > it habit to shut that off because 99% of the time it's just in my way. > > Many, many times the only solution to a daemon not launching is > "setenforce > > 0" or some other "let's shut off selinux" type of answer, to the point > that > > disabling it is one of the first things I do. I can't have security > > getting in the way of usability all the time like that. > > Yup, security is often inconvenient. But how often do you think, > "Man, locking my door is a pain. When I get home and it's cold out > and my gloves are on, it's so annoying to have to take them off to > fish the key out of my pocket and unlock the door. And when my hands > are full with groceries, I have to set them down too, and then pick > them back up. You know what? I'm just going to leave my door > unlocked. Locking it *really* inhibits its usability. And having to > turn the doorknob is a pain, too. I'm just going to switch to a > friction catch so I can push it open with my foot." > > Probably you should take the time to learn how SELinux or some similar > tool works, and then using it would no longer be so inconvenient. > > --Levi > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
