SCIENTIFIC-LINUX-USERS Archives

November 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: SELinux de-mystified
From:
David Sommerseth <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Wed, 13 Nov 2013 21:05:42 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (86 lines) 
On 13. nov. 2013 20:26, John Musbach wrote:
> Maybe it's just me, but it seems like a serious failing of SELinux's
> efforts when most people I've encountered in the Linux world have the
> policy of just disabling SELinux in their images.

Not sure if this was intended as a fire torch or not, or I'm just being
a bit sensitive.

But I can turn it around:  IPv6 has been available for over a decade (if
not longer).  Is it a failure of IPv6 that so few enables IPv6 in their
networked environments?.  Of course not.  It's about convenience and
resistance of changing your attitude to new technologies.  But
eventually you're forced to take the step.

And it's been a similar situation with iptables (and firewalling in
Windows, for that matter).  People were mostly ignorant to the concept
of firewalling, until they realised they had to implement it to have a
more secure environment.  Is iptables (or firewalling) considered a
failure today?

During EL6 installation, there is no way you can disable SELinux.  It
needs to be done explicitly afterwards.  This is because SELinux is
considered to work so well most users really don't need to think about
it.  Seriously.

SELinux has also been available since EL4 and Fedora Core 3.  SELinux is
celebrating 10 years these days.  It's not something brand new, but it
is beginning to really gain traction.  These days even SEAndroid is on
the way (that is SELinux for Android).  SELinux has developed a lot, and
is far more easily available and usable today than it was 10 years ago.
 Please don't be afraid of it!

To all of you SELinux sceptic, I have only this to say: If you first
grasp the concept of labelling, SELinux isn't much more difficult than
what iptables used to be in the beginning.  And that article from Dan
Walsh gives a very easy to understand introduction to SELinux.

And seriously, unless you really have a really odd setup, SELinux will
in not give you any troubles in EL6.

I have set up roughly 20 different SL6.x servers the last years.  I
can't remember having had any real issues related to SELinux.  This has
been everything from LDAP servers, web servers (apache and nginx),
e-mail servers (both postfix+amavis+spamassasin and Zimbra), database
servers (both PostgreSQL and MySQL).  I honestly can't remember having
had much troubles with SELinux at all.

If SELinux did kick in, it was usually just to flip some SELinux
booleans (semanage boolean --list), modifying some network ports context
(semanage port --list) or adding some extra paths for correct file
labelling (semanage fcontext --list).  Changing those things are really
not more difficult than adding additional iptables rules.  And to figure
out if it is SELinux to blame:  grep denied /var/log/audit/audit.log

Really, stop disabling it!  Try it for real and embrace SELinux now!


kind regards,

David Sommerseth



> On Nov 13, 2013, at 2:17 PM, David Sommerseth <[log in to unmask]> wrote:
> 
>> Hi all,
>>
>> As there has been a couple of SELinux discussions lately, I thought this
>> article could help explain better what SELinux is all about and why it's
>> such a great tool.
>>
>> It's written by one of the core SELinux guys in Red Hat, Daniel Walsh
>> and illustrations by one of Fedora's UX designers, Máirín Duffy.
>>
>> "Your visual how-to guide for SELinux policy enforcement"
>> <http://opensource.com/business/13/11/selinux-policy-guide>
>>
>> Hope you'll enjoy the reading :)
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>>

ATOM RSS1 RSS2