[lug] SELinux

Mike mikedawg at gmail.com
Sun Jan 28 16:03:45 MST 2018

> Has anyone actually seen selinux block an external attack?  I ask mostly
> because it's bloatware and reconfiguring it takes forever (likely due to
> being hard written to the kernel.  Thanks
> mad.scientist.at.large (a good madscientist)
> --
> God bless the rich, the greedy and the corrupt politicians they have put
> into office.   God bless them for helping me do the right thing by giving
> the rich my little pile of cash.  After all, the rich know what to do with
> money.
> Message: 2
> Date: Sat, 27 Jan 2018 17:40:08 -0700
> From: Alan Robertson <alanr at unix.sh>
> To: mad.scientist.at.large at tutanota.com, lug at lug.boulder.co.us
> Subject: Re: [lug] selinux
> Message-ID:
>         <1517100008.1647334.1250439216.732250C0 at webmail.
> messagingengine.com>
> Content-Type: text/plain; charset="utf-8"
> There was a server on the Internet that was completely open that no one
> could become root on because of SELinux.
> --
>   Alan Robertson
>   alanr at unix.sh
> ------------------------------
> Message: 3
> Date: Sun, 28 Jan 2018 10:50:36 -0700
> From: Rob Nagler <nagler at bivio.biz>
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>         <lug at lug.boulder.co.us>
> Subject: Re: [lug] selinux
> Message-ID:
>         <CAJB=V00Q=jyzFHYq7bRNsAN303x66Ff+_JbfasOyDUb1uPDmLw at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
> On Sat, Jan 27, 2018 at 5:40 PM, Alan Robertson wrote:
> > There was a server on the Internet that was completely open that no one
> > could become root on because of SELinux.
> >
> This statement may be true (no way to verify), but it's not saying anything
> useful. You don't need to be root to get all the data off of a server,
> which is probably all that's important. The Equifax hack, for example, was
> an exploit of Tomcat/Struts which was presumably running as user apache. If
> a server does anything useful (besides being a honey trap), and there is a
> bug one of its services (which had rights to read data, which all useful
> servers generally do), then SELinux is useless. SEL does not protect
> against intrusions, just escalations.
> I think SEL is misunderstood to the point that it is security theater. For
> example, the typical instruction for people "stuck" with SEL is to:
> # grep some-service /var/log/audit/audit.log | audit2allow -M some-service
> # semodule -i some-service.pp
> At that point, you have "fixed" SEL, but what that means, you have no idea.
> Consider the nginx case a while ago, I wanted to open port 7000 so I did
> the above magic, and realized that it enabled "gatekeeper_port_t", which I
> would have thought was port 7000, but it isn't. It's two tcp and two UDP
> ports:
> # semanage port -l | grep gatekeeper
> gatekeeper_port_t              tcp      1721, 7000
> gatekeeper_port_t              udp      1718, 1719
> Now, if you don't know better, you've just enabled some ports, which may or
> may not matter. If I was relying on SEL (instead of iptables), then I would
> have created a potential vulnerability. Do you know what port 1718, 1719,
> and 1721 do? Me either.
> Rob

I'm a huge fan of SELinux, and definitely recommend that anyone out there
in the "open" world should be running SELinux.

So, to sort of address the info that  Rob placed out there, his example,
was specifically dealing with ports. Sure, if you open up ports on SELinux,
just like iptables, you're opening that area of "attack". But even beyond
ports, there are file and directory permissions put out by SELinux that are
just as valuable. Only the right context of user should be able to open up
files in /var/www? Sounds great, you just prohibited an attacker, logging
into your machine as "RandomRarelyUsedServiceAccount" unable to
download/manipulate the files for apache, in /var/www.

This is purely skimming the top-most layer of SELinux, but the amount of
security it provides is very useful.

NOTE: Not that it matters in this conversation, or anything, but I will
throw it out there, that I work for RH, so maybe that accounts for some of
my pro-SELinux sentiment.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20180128/f247d621/attachment-0001.html>

More information about the LUG mailing list