Red Hat Boosts SELinux With RHEL 5 175
E. Stride writes "Many IT managers find Security Enhanced Linux, or SELinux, to be wildly complex. The mandatory access controls originally developed by the NSA have developed a reputation for being too complicated to deal with, and many IT shops simply turn the feature off. However, Red Hat's Dan Walsh says it's the only way to ensure 100% protection in the data center."
just how good is this? (Score:3, Interesting)
Is it better for my personal linux box to have this or is Iptables enough?
100% Secure (Score:5, Interesting)
Ignoring for now that nowhere in the article does he claim that SELinux provides or is required for "100% security", there's no such damn thing. Unless you pull out the power cord, of course.
Yes, we disable SELinux at our shop. As the article mentions, it's a pain in the ass, and the tools to manage it are not mature enough. If all you have is RHEL, and you have nothing else to do, you can look at configuring it. If you have a bunch of corporate mucky-mucks breathing down your neck, and you have to get the latest version of GnuWhatever compiled for 5 different OSs, there's no time to deal with this nonsense.
SELinux probably works just great for what it was designed for - NSA top-secret systems. There's always a tradeoff between security and usability, and right now, SELinux is just above yanking the power cord.
Better, but still a way to go. (Score:2, Interesting)
SELinux is a problem (Score:2, Interesting)
Just the other day, I tried to install "rt" on a brand new RHEL 5 box for a demo (we're looking into new ticket systems). I found that "yum install mysql-server" hung forever. Same with the apache install. It turns out the SELinux thinks that useradd being run by the mysql rpm (to add user "mysql") was trying to attack
This wasn't a hacked up RHEL box or anything. I had installed it that morning.
There were suggested fixes in my logs, but they did not work. My solution? Disable SELinux. It's just not ready for prime-time. Or production environments.
Less complex alternatives exist to SELinux. (Score:5, Interesting)
Redhat is not going to get much traction from this unless there is a very easy to use tool (preferably with GUI) to configure and customize SELinux, out of the box. The default tools on RHEL allow a few options during install time, but it is truly primitive.
There really doesn't need to be this huge love/hate relationship with SELinux, in fact why not just throw it out and use something far simpler and neater? There are several options out there. Off the top of my head I can think of GRSEC : http://www.grsecurity.net/ [grsecurity.net]
We've been using this on two of our server farms and it's been doing a superb job, and it is very very easy to customize compared to the SElinux nightmare.
Re:anecdotes... (Score:3, Interesting)
SELinux makes sure things that are set up don't get arbitrarily changed. It isn't prescient to know that YOU have proper authority to make those changes. You have to tell it that.
So, with SELinux you have one more step when you make substantive changes. Tell SELinux about it.
Simply moving folders or files around as root and modifying program config files is NOT enough. What the hell is the difference between YOU doing it and a HACKER doing it? SELinux doesn't know. Hell, things like moving my Apache docroot around is something I'd really want to have secured.
SELinux (and Solaris 10) try to fix that by implementing RBAC, MAC and Type Enforcement. http://csrc.nist.gov/rbac/rbac-faq.html [nist.gov]
Re:100%? (Score:3, Interesting)
As far as your comment on error codes and 'Permission denied by MAC policy', quite a few (if not most) of app developers do not handle all possible error codes returned by the OS and do not have a "catch-all" clause when handling errors. So returning a "new and wonderfull" error code is actually likely to cause more mayhem, than returning one of the "well known" error codes like -EACCES. I would rather have the actual error code configurable on a per-item basis (dunno if SEL can do that as I have not yet committed to the several days necessary to learn its deep internals).
Re:SELinux is a good thing (Score:3, Interesting)