[lug] selinux

Rob Nagler nagler at bivio.biz
Sun Jan 28 10:50:36 MST 2018

On Sat, Jan 27, 2018 at 5:40 PM, Alan Robertson wrote:

> There was a server on the Internet that was completely open that no one
> could become root on because of SELinux.

This statement may be true (no way to verify), but it's not saying anything
useful. You don't need to be root to get all the data off of a server,
which is probably all that's important. The Equifax hack, for example, was
an exploit of Tomcat/Struts which was presumably running as user apache. If
a server does anything useful (besides being a honey trap), and there is a
bug one of its services (which had rights to read data, which all useful
servers generally do), then SELinux is useless. SEL does not protect
against intrusions, just escalations.

I think SEL is misunderstood to the point that it is security theater. For
example, the typical instruction for people "stuck" with SEL is to:

# grep some-service /var/log/audit/audit.log | audit2allow -M some-service
# semodule -i some-service.pp

At that point, you have "fixed" SEL, but what that means, you have no idea.
Consider the nginx case a while ago, I wanted to open port 7000 so I did
the above magic, and realized that it enabled "gatekeeper_port_t", which I
would have thought was port 7000, but it isn't. It's two tcp and two UDP

# semanage port -l | grep gatekeeper
gatekeeper_port_t              tcp      1721, 7000
gatekeeper_port_t              udp      1718, 1719

Now, if you don't know better, you've just enabled some ports, which may or
may not matter. If I was relying on SEL (instead of iptables), then I would
have created a potential vulnerability. Do you know what port 1718, 1719,
and 1721 do? Me either.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20180128/f20ef040/attachment.html>

More information about the LUG mailing list