Usually most things in Linux are very structured and make a lot of
intuitive sense. But I've never really gotten the hang of "SELINUX" and I
was just wondering if it was just me or do other people share the
feeling?

I tried googling up the stuff several times but it just feels way too
complicated for me. Permissions (perhaps more granular permissions as in
AFS) work well for me and I never perceived a need for "contexts". Do
people use them a lot? Perhaps its just because I'm on a "toy-system" and
the critical production servers use it? Or not?

Or is it just that the implementation is so difficult that people are
tempted to "setenforce 0".

Is SELINUX more pushed by a particular distro (I'm on RHEL)? How big is
the downside to turning SELINUX off (as I have! ) A serious security
blunder? Or not?

Just trying to develop a taste for SELINUX....but has been hard so far!

--
Rahul

Rahul wrote:

> Usually most things in Linux are very structured and make a lot of
> intuitive sense. But I've never really gotten the hang of "SELINUX" and I
> was just wondering if it was just me or do other people share the
> feeling?

I believe the learning curve /is/ steep for SELinux...

>
> I tried googling up the stuff several times but it just feels way too
> complicated for me. Permissions (perhaps more granular permissions as in
> AFS) work well for me and I never perceived a need for "contexts". Do
> people use them a lot? Perhaps its just because I'm on a "toy-system" and
> the critical production servers use it? Or not?
>
> Or is it just that the implementation is so difficult that people are
> tempted to "setenforce 0".
>
> Is SELINUX more pushed by a particular distro (I'm on RHEL)?

Have you googled?

How big is
> the downside to turning SELINUX off (as I have! ) A serious security
> blunder? Or not?

How important is security with your system in mind?

>
> Just trying to develop a taste for SELINUX....but has been hard so far!
>

Hello to All:

I suppose I'm a product of my environment so when I saw the early talk
about SELinux being introduced into RHEL, I looked forward to it.

In a previous life, I worked for an employer that spent lots of U.S.
tax dollars. During my tenure, we saw quite a varied assortment of
Internet based attacks that even crippled our systems. So even if a
potential attacker were to gain access to our RHEL boxes, I was hopeful
that SELinux, and other hardening actions, would limit or protect us
from damage.

I run SELinux “enforcing” and “targeted” and I'm considering going
from “targeted” to “strict” as a test.

One of the applications I've seen trouble with is “Google Earth”. Even
then, I wrote a script to correct eleven SELinux reported errors I see
when I've upgraded “Google Earth”. The other is clamav, but I've seen
none lately.

Two other products, from the NSA, are publications released to the
public that deal with the hardening of RHEL 5:

A blurb on SELinux here:
<http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.PDF>

Four pages of SELinux enlightenment here:
<http://www.nsa.gov/snac/os/redhat/rhel5-pamphlet-i731.pdf>

Not all system administrators can implement everything in the above
publications. However, much is very helpful.

I realize that SELinux tries to help keep users and their applications
from violating security policies within the OS. We also know that
poorly written applications can cause SELinux to make things difficult
for administrators and users. But, SELinux can also help keep hackers
from doing damage and accessing files.

If you've recently updated RHEL from 5.1 to 5.2, then the new SELinux
policy files might make life easier. (or not)

My $0.02USD.

My best to all.

--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

On Wed, 02 Jul 2008 01:51:38 -0700, 1PW <barcrnahgjuvfgyr@nby.pbz> wrote:

>But, SELinux can also help keep hackers
>from doing damage and accessing files.

How exactly does it do that in a way that ordinary
permissions or security on "vanila" linux don't?

Tony

On Wed, 02 Jul 2008 13:52:03 +0100, Tony wrote:
>
> How exactly does it do that in a way that ordinary
> permissions or security on "vanila" linux don't?

Some light reading found here
http://fedoraproject.org/wiki/SELinux

Tony wrote:
> On Wed, 02 Jul 2008 01:51:38 -0700, 1PW <barcrnahgjuvfgyr@nby.pbz> wrote:
>
>> But, SELinux can also help keep hackers
>>from doing damage and accessing files.
>
> How exactly does it do that in a way that ordinary
> permissions or security on "vanilla" linux don't?
>
> Tony
>
>

Hello Tony:

I believe that in any group of computer users, the meaning of security
has different definitions. However, the policy enforcements and the
reporting are certainly the strong issues for me. Permissions are a
wonderful idea and coupling that with reporting has allowed me to see
that a few applications would benefit from security enhancements.

Others can state it with much more eloquence:

<http://searchenterpriselinux.techtarget.com/news/column/0,294698,sid39_gci1253747,00.html>

To the overburdened system administrator that disables SELinux at the
first sign of trouble, I understand. Promise yourself to come back
and seek a solution soon after. If one has it on their system, and
not turned on, I'd encourage them to try it. Even if it means
changing to 'Permissive' mode. Pursue the alerts as time permits.

Recently, I gamma tested a Linux based administrative application, that
when executed, caused several thousand SELinux alerts before
completion. I contacted the author, and now hopefully the issue is
being be looked at. That application has a wonderful premise but
hadn't been tested on many platforms.

I use SELinux on our household, cable based ISP, system. I see between
200 & 300 probes at my ports per day. Yes - I do rely on my firewall
rules for protection. Yes, the probes are mostly looking for Windows
vulnerabilities. Am I using anti-virus protection too? Yes. Will my
luck run out one day? Perhaps. That's when I hope my numerous
hardening measures will foil intrusion.

As long as I see ongoing improvements (2 updates by the NSA this year),
I'm going to try and benefit through SELinux.

How say you?
--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

On Wed, 02 Jul 2008 14:20:25 -0700, 1PW <barcrnahgjuvfgyr@nby.pbz> wrote:

>As long as I see ongoing improvements (2 updates by the NSA this year),
>I'm going to try and benefit through SELinux.
>
>How say you?

As long as I see improvements I know the software was badly designed in the
first place and bodging more "fixes" can only make matters worse -

what I say is its time we started holding OS companies responsible for their
appaling software and financially responsible for security flaws.

In no time flat they WILL fix it because it can be done. I suggest a class
action or two.

Until then they are going to keep spitting out the same OS every 2 years
with different pretty front ends on and pretend its something "new" and
everyone stupid enough to do so will go on buying it because they keep
on seeing "fixes"

It isnt acceptable any more. It can be done and must be done right - first time
on time every time.

Make them financially responsible. And it will be.

As far as linux is concerned - its time all but maybe 2 flavours were shut down
and the whole mess re-designed to make it useful. It shouldn't be too hard if
the will was there. (Right now it is hardly useful for anything but web serving
- dont take my word for it - go ask Red Hat)

In the short term - now I've had chance to look I'm thinking maybe I should go
back to windows. Probably an early version like the terminal I'm using now.

SElinux is a bridge (or bodge) too far for me.

You asked.
Sorry - bad day - so you got it undiluted.

Tony