[rhelv6-list] selinux (not quite) disabled?

Mon Dec 6 23:29:05 UTC 2010

On Monday, December 06, 2010 06:45:01 am giallu at gmail.com wrote:
> On Sat, Dec 4, 2010 at 5:41 PM, Lamar Owen <lowen at pari.edu> wrote:
> 
> > As desktop use is probably going to involve web browsing (either on an intranet site, or the Internet), and perhaps PDF files enter the picture, and as those are the prime vectors for attacks, and as much personal information as can be swiped is the new target of data thieves, the desktop should be locked down tighter in many ways than the server.

> This is pretty funny, as I've seen several comments around of desktop
> users disabling SELinux because it's something really needed just on
> servers...

Yeah, I know that's the 'conventional' wisdom, but, honestly, I have lots more personal data on my desktop than on any server, and it's under my normal user id.  Using a separate user id to browse, read PDF's, etc from the user id to do online banking, while nice and safe, is rather inconvenient.  Using a VM to do this is like reaching around your back to scratch your elbow.  Now, using SELinux to do this is akin to trying to use a Dremel tool with a steel grinding burr to scratch your elbow, but with the right touch it can be done; just need user tools with the right touch.  And, don't get me wrong, the current state of the Fedora tools is much much better than it used to be.

SELinux has the potential (when set up properly) to make data theft of my personal data harder for web bugs, PDF bugs, and flash bugs to accomplish.  Further, as the recent 'Koobface on Linux' flap shows, yeah, it might not root your box, but theft of personal data doesn't require root.  And a run-once bot with enough intelligence can easily pick up a few things; further, it wouldn't be hard at all to get such a Java (could be flash, could be embedded in a PDF as Javascript; Java is just one way) worm to modify .bashrc (and other known start-on-login scripts) to download and start a fresh copy each time you log in.

Worms, bots, and other assorted malware do not always require root to be damaging; SELinux can help protect ~/.bashrc (for one example) against overwrite by all but user-assigned and trusted programs (emacs, vi, kate, gedit, whatnot).  We need a better configuration and troubleshooting interface so that the protections don't get in the way of the user, which is what happens now typically with SELinux, to where people say 'the fix was to put SELinux in permissive mode' which is patently wrong; workaround, yes, but that's not a fix.

So, yeah, I'm definitely of the camp and mind that while Linux as a rule is more secure against rooting exploits for the most part, worms/bots/malware that don't require root and can happily run as a normal user (like the slow-brute-forcer ssh worms; I caught one doing its deed as a normal user on one machine, no rootkit, no root exploit, just a normal user cronjob and a hidden directory, and a successfully running 'bot' with a large password file....) could become a serious problem.  User-ID-based access control is no longer enough to keep your (normal user) files safe from potential prying eyes.

I know this: of all the Windows malware infections I've seen, the vast majority in the last six months have been web-based, either through a Javascript 'thing' or through a PDF.  The last time one particular Windows box here got 'sploited with a PDF; the PDF in question was a technical specification summary for an older DWDM layer 1 network platform that I was troubleshooting; no anti-malware scanner I have flagged it, but viewing it in Adobe Reader resulted in a reproducible infection on Windows.  I was using Okular on Linux, which read the file fine, but I needed the document on this particular Windows workstation (the management workstation for the DWDM gear) and it got rooted.  Wasted half a day restoring things, when I needed to get a wave back up on the DWDM....

The last time I personally witnessed a web-based attempt (September 17th) was on my Linux desktop; it was the typical 'Windows web Security have detected Trojans on your C: Drive; please click here to fix' with the rather convincing 'Windows Explorer mock-up' skin; this was found on a _Linux_blog_ talking about installing a certain journalling filesystem on a certain Linux variant.  I grabbed a screenshot of the ersatz 'Analysis Security' webpage made up to look like Windows Explorer if anyone wants a laugh....or maybe it's a wakeup call.