Drawing lessons from fatal SELinux bug #1054350

drago01 drago01 at gmail.com
Fri Jan 24 10:54:24 UTC 2014 

On Fri, Jan 24, 2014 at 12:55 AM, Kevin Kofler <kevin.kofler at chello.at> wrote:

>
> So, what happened:
> * We are enabling SELinux enabled (enforcing) by default, a tool designed to
> prevent anything it does not like from happening. (Reread this carefully:
> The ONLY thing that tool is designed to do at all is PREVENT things. It does
> not have a SINGLE feature other than being a roadblock and an annoyance.)

The "feature" is called security. By your logic everyone should be
root, we should
disable other security features like ASLR and NX (both PREVENT me from running
malicious code but do not add a SINGLE feature).

So please read on how security is implemented and why.

> * SELinux works by shipping a "policy" that effectively tries to specify in
> one single place (read: single point of failure!) everything any program in
> Fedora (scalability disaster!) ever wants to do (second-guessing its actual
> code, i.e., duplication of all logic!).

That's not how it works not how it supposed to work. Please read on MAC.

> (Note the 3 (!) major antipatterns
> in a single-sentence (!) description of how SELinux works!)

Not a description on how it works but your misunderstand.

> * An update to that SELinux policy was shipped that BREAKS the most critical
> tools in Fedora, the ones required to update the system and thus install the
> fixes for any regressions, including the very regression that caused the
> breakage. And also any automated workarounds are blocked by design.

No idea what "automated workaround" means but there are other ways to
deal with it see Colin's post.

> * That update made it out to the stable updates! In other words, the
> draconian Update Policies that were enacted in a vain attempt to prevent
> such issues from happening utterly failed at catching this bug.

Yeah so we should find out why this happened and improve the testing
procedures to not let it happen in the feature (again see Colin's mail).


> So, what needs to happen:
> * SELinux must be disabled (or preferably, not installed in the first place,
> to avoid wasting space for nothing) by default! Just consider the benefits
> (none!)

As stated above that's not true.

> * The Update Policies must be repealed. This regression has shown us that
> not only they totally failed at preventing it, but they are actively
> contributing to exposing MORE users to broken updates by delaying regression
> fixes. (This kind of regression fixes needs to go out DIRECTLY to stable!)

This is a contradiction "our current testing didn't find the bug so
how about we do no testing at all".

More information about the devel mailing list