SELINUX - Why?

Scot L. Harris webid at cfl.rr.com
Wed Jul 27 19:59:59 UTC 2005 

On Wed, 2005-07-27 at 15:24, Mike McCarty wrote:
> I went and read the FAQ on selinux, especially the sections
> on FC2 since that is what I run. I have yet to read *why*
> one would want to run selinux on a machine like mine. The
> FAQ has a question which supposedly addresses this question,
> but there seem to be many presumptions about the system
> on which Linux is installed inherent in the answer, some
> or perhaps all of which do not seem to apply to my system.
> 
> In short, they presume that there is some way that software
> gets onto my system without my being aware of it, but do
> not specify any means by which that might take place.
> 
> Since the issue of how the "malware" gets onto my machine
> is completely bypassed, I consider the answer given in the
> FAQ to be, well, significantly incomplete.
> 
> And augmenting the answer with "We don't know how it might
> get onto your machine" is, IMO, not an adequate answer. It
> begs the question.
> 
> What I mean is, I ask "Why should I run selinux?" The answer
> then seems to be "We don't know, but if you don't bad things
> might happen to your system due to malicious programs."

You are correct, nobody knows how they would get code on to your
system.  I would not say that bad things will happen if you don't run
selinux, but it may mitigate the effects if someone with unethical
motives happens to get access to your system.

Think of selinux as just another layer of defense that is available to
you.  It is impossible to prove that there are no security holes in a
system or the software it is running.  Because of this you need to think
of defense in depth.  You use a hardware firewall or dedicated linux
firewall box to block most port probes and access from the outside. 
That is one layer.  You use iptables on your machine to allow access to
those services you actually use like ssh and block all others.  This is
another layer.  You utilize strong passwords on your system and
configure ssh to only permit certain users.  Yet another layer of
defense.

But lets say that in a subsequent update of ssh a bug is introduced
which allows someone to gain access to your system.  Or more likely you
somehow disclose your user password and id.   They transfer software to
your machine and proceed to try to gain root access.  With selinux in
place you have additional access controls on various files that make
that job much more difficult if not impossible.  Yet another layer of
defense.  Without selinux the intruder may be able to manipulate certain
files on your system and gain root level access.

Ultimately it is your decision if you want to use selinux or any of the
other security tools available to you.  You may decide that you don't
want to run it.  That is your choice.

All I know is that if my system is a little bit harder to crack than the
next guy, the hacker most likely will move on and not bother me.  :)


-- 
Scot L. Harris
webid at cfl.rr.com

You don't sew with a fork, so I see no reason to eat with knitting needles.
		-- Miss Piggy, on eating Chinese Food

More information about the fedora-list mailing list