vvmarko at gmail.com
Tue Aug 31 03:57:43 UTC 2010
On Tuesday, August 31, 2010 01:15:15 JB wrote:
> Well, if selinux is the best that happened to security since sliced bread,
> then why people make these comments ?
Umm, let me see... :-)
(a) because SELinux has a learning curve;
(b) because SELinux uncovers bad admin practices by breaking lousy configured
apps, and thus uncovers admin incompetence;
(c) because SELinux security policies needed some time to mature to a usable
(d) because people don't like to give up their (bad) habits and accept more
strict rules, even when those rules are for their own benefit.
For example, the very first thing a Windows convert whines about in Linux is
having to deal with those ugly stupid "rwxrwxrwx" things that make his life so
miserable. And he hates having to learn about chown and chmod, let alone those
dreaded man pages that are sooooo cryptic... But the fact that all Windows
converts regularly whine about permissions doesn't make them right.
Ditto for SELinux.
As to your examples:
> Overall, the reception to SELINUX has been mixed in the Linux community
> with various sys-admins preferring to stay away from it because of the
> usage issues. ...
You missed to quote the wikipedia's "citation needed" tag at the end of this
This article is from 2007. A lot has changed since then.
This article (and most of the comments) is from 2007. A lot has changed since
This article is from 2007. A lot has changed since then. (Am I repeating
Aaah, this one is from December 2009, much more recent... :-)
> SELinux ... It is a highly flexible system, but also highly complex; even a
> minimal SELinux policy can involve thousands of rules. The complexity of
> SELinux has almost certainly inhibited its adoption in the broader Linux
> community; when SELinux gets in the way of real work, figuring out how to
> fix it can be a nontrivial task. Over the years, many administrators have
> concluded, like Ted Ts'o, that "life is too short for SELinux."
How about continuing the quote into the next paragraph:
"That said, Fedora and Red Hat have slowly made progress in using SELinux to
confine parts of the system without creating too much user pain. And there is
certainly a place for more comprehensive security models in general."
> And I could go on and on ...
I didn't bother to read the articles you quoted. First of all, they are just
obsolete, given the time when they were written. Second, since SELinux was
first introduced, I haven't seen a single reasonable and convincing argument
against using it. People just whine that it's cryptic, that it gets in the way
when they try to do something (wrong?), and that they don't like it. Those are
not real and convincing arguments.
The only critique that came even remotely close to reason was that running
SELinux produces a performance penalty, while having no gain if the machine is
not exposed to Internet. But in those cases one can just disable it to gain
back the performance, provided that security is not an issue.
All my current servers and desktops have SELinux in enforcing mode, and I
haven't seen a single AVC denial for two years now (since Fedora 9, to be
precise). The only exception was when a script-kiddie managed to guess a ssh
password of one of my users, and then tried to escalate to root. The attack
was unsuccessful mostly because of SELinux --- I saw a whole bunch of denials,
and managed to recover from the intrusion without having to wipe&reinstall the
whole system. That was my firsthand experience that SELinux is actually quite
useful and effective.
Of course, if you are smart enough to protect your system without SELinux, or
stupid enough to believe you cannot benefit from its protection, feel free to
disable it. You are also free to shut down the firewall, use your desktop from
a root account, publish your root password on the web, etc. :-)
More information about the users