SELINUX

Marko Vojinovic vvmarko at gmail.com
Tue Aug 31 03:57:43 UTC 2010


On Tuesday, August 31, 2010 01:15:15 JB wrote:
> Well, if selinux is the best that happened to security since sliced bread,
> then why people make these comments ?

Umm, let me see... :-)

(a) because SELinux has a learning curve;
(b) because SELinux uncovers bad admin practices by breaking lousy configured 
apps, and thus uncovers admin incompetence;
(c) because SELinux security policies needed some time to mature to a usable 
state;
(d) because people don't like to give up their (bad) habits and accept more 
strict rules, even when those rules are for their own benefit.

For example, the very first thing a Windows convert whines about in Linux is 
having to deal with those ugly stupid "rwxrwxrwx" things that make his life so 
miserable. And he hates having to learn about chown and chmod, let alone those 
dreaded man pages that are sooooo cryptic... But the fact that all Windows 
converts regularly whine about permissions doesn't make them right.

Ditto for SELinux.

As to your examples:
 
> http://en.wikipedia.org/wiki/Security-Enhanced_Linux
> ...
> Overall, the reception to SELINUX has been mixed in the Linux community
> with various sys-admins preferring to stay away from it because of the
> usage issues. ...

You missed to quote the wikipedia's "citation needed" tag at the end of this 
sentence.

> http://articles.techrepublic.com.com/5100-10878_11-6156411.html

This article is from 2007. A lot has changed since then.

> http://www.linuxsecurity.com/content/view/129763

This article (and most of the comments) is from 2007. A lot has changed since 
then.

> http://lwn.net/Articles/252588/

This article is from 2007. A lot has changed since then. (Am I repeating 
myself here?)

> http://lwn.net/Articles/365224/

Aaah, this one is from December 2009, much more recent... :-)

> SELinux ... It is a highly flexible system, but also highly complex; even a
> minimal SELinux policy can involve thousands of rules. The complexity of
> SELinux has almost certainly inhibited its adoption in the broader Linux
> community; when SELinux gets in the way of real work, figuring out how to
> fix it can be a nontrivial task. Over the years, many administrators have
> concluded, like Ted Ts'o, that "life is too short for SELinux."

How about continuing the quote into the next paragraph:

"That said, Fedora and Red Hat have slowly made progress in using SELinux to 
confine parts of the system without creating too much user pain. And there is 
certainly a place for more comprehensive security models in general."

> And I could go on and on ...

I didn't bother to read the articles you quoted. First of all, they are just 
obsolete, given the time when they were written. Second, since SELinux was 
first introduced, I haven't seen a single reasonable and convincing argument 
against using it. People just whine that it's cryptic, that it gets in the way 
when they try to do something (wrong?), and that they don't like it. Those are 
not real and convincing arguments.

The only critique that came even remotely close to reason was that running 
SELinux produces a performance penalty, while having no gain if the machine is 
not exposed to Internet. But in those cases one can just disable it to gain 
back the performance, provided that security is not an issue.

All my current servers and desktops have SELinux in enforcing mode, and I 
haven't seen a single AVC denial for two years now (since Fedora 9, to be 
precise). The only exception was when a script-kiddie managed to guess a ssh 
password of one of my users, and then tried to escalate to root. The attack 
was unsuccessful mostly because of SELinux --- I saw a whole bunch of denials, 
and managed to recover from the intrusion without having to wipe&reinstall the 
whole system. That was my firsthand experience that SELinux is actually quite 
useful and effective.

Of course, if you are smart enough to protect your system without SELinux, or 
stupid enough to believe you cannot benefit from its protection, feel free to 
disable it. You are also free to shut down the firewall, use your desktop from 
a root account, publish your root password on the web, etc. :-)

Best, :-)
Marko



More information about the users mailing list