Proposal: ReadOnlyDirectories /etc and /usr for network-services
Reindl Harald
h.reindl at thelounge.net
Thu Jul 25 19:36:08 UTC 2013
Am 25.07.2013 21:26, schrieb Miloslav Trmač:
> On Thu, Jul 25, 2013 at 6:36 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> if you are able to marry pure-ftpd, samba and 250 cms-installations predictable
>> on a machine running also *self developed* managment-software for a complete
>> infrastructure on 20 Fedora servers with SElinux go ahead :-)
>>
>> been there done that and it makes thiings so secure that they are completly
>> unuseable because you are searching all day long for problems acess denied
>> here and there
>
> That can happen with SELinux when the application does something
> unanticipated by the policy writers. It can also happen just the same
> with ReadOnly Directories, for just the same reason, can't it?
no it can't
there is a difference between write to /usr and write to a bind-mount
under /usr/local which is not part of the OS as well as other trees
on disks far away from the FHS layout
> I suppose there may a difference in how often that happens - "/usr is
> read only" is a fairly well-targeted heuristics, OTOH "/usr is read
> only" also leaves a large part of the system completely unprotected
correct
but in environments like mine it includes *anything* installed
from packages and leaves out *anything* of own driven software
which needs write-access and can only with a lot of (too)
much effort be married with selinux
i tried SElinux several times on clones and finally it was way
too much unpredictable work to arrange it with the running
infrastructure while make /ur and /etc read-only was done
and tested for any service within a few hours
i am perfectionist but at the same time i have to draw a line
between perfect and doable without killing the companies workspace
the proposal draws the line in a perfect way, has no measureable
performance impact and doe swork nicely on systems with enforced
SElinux - that is why one of my first thougts was "hey why is
this not the default?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130725/2997aab9/attachment.sig>
More information about the devel
mailing list