what is selinux good for?

[Red Squirrel]

Just curious as all I ever see it do is break stuff from working. Is it for anything special?

I usually put selinux=0 in the grub.conf file otherwise stuff like samba, apache, etc wont work.

For example, made apache's default directory /data/www and it errored out "that is not a directory" even though it was. I put selinux=0, reboot, it works. The first time I ran into selinux I spent weeks trying to troubleshoot errors that were false. Samba is usually the one that takes the biggest hit.

Is there specialized applications where selinux actually can be left on? I know it's for security but completly disabling a server application is as good as unplugging the server. Security still has to be functional.

 

[Brazen]

If you leave stuff in the default location, selinux doesn't break anything. Not on RHEL anyway.

 

[Nothinman]

Just curious as all I ever see it do is break stuff from working. Is it for anything special?

SELinux is a Mandatory Access Control system, it's whole point is to stop everything from working except that which is explitely allowed.

For example, made apache's default directory /data/www and it errored out "that is not a directory" even though it was. I put selinux=0, reboot, it works. The first time I ran into selinux I spent weeks trying to troubleshoot errors that were false. Samba is usually the one that takes the biggest hit.

Because you need to label /data/www properly so that apache can access it.

Is there specialized applications where selinux actually can be left on? I know it's for security but completly disabling a server application is as good as unplugging the server. Security still has to be functional.

AFAIK everything out of the box in RHEL comes with properly setup SELinux policies so it should work fine. Of course if you move/change things you might have to update the SELinux policy to tell it about those changes.

 

[JD50]

Most services have an selinux man page. Check the bottom of the main selinux man page and you'll see a list of all of them. Usually it's just changing a boolean or two, and maybe changing the security context of a file or directory.

 

[M00T]

There are a few commands that you should learn to use with selinux:

list file's context: ls -Z
change file's context: chcon
alert browser: sealert

 

[Red Squirrel]

hmm guess it sounds like it just needs to be reconfigured for software to work, I'll have to read up on it further and consider enabling it rather then just turn it off.

I've been wanting to brush up on Linux security as it seems I'm getting lot of haxors on my game server lately. If I piss them off (which I've done, by bringing down the ban hammer) then they will try to do more serious hacking, outside of the game. So time to lock things down more.

Though from my understanding selinux is more to protect against internal attacks right? (ex: a user sshed in)

 

[Crusty]

Originally posted by: RedSquirrel
hmm guess it sounds like it just needs to be reconfigured for software to work, I'll have to read up on it further and consider enabling it rather then just turn it off.

I've been wanting to brush up on Linux security as it seems I'm getting lot of haxors on my game server lately. If I piss them off (which I've done, by bringing down the ban hammer) then they will try to do more serious hacking, outside of the game. So time to lock things down more.

Though from my understanding selinux is more to protect against internal attacks right? (ex: a user sshed in)

Doesn't have to be ssh. If they can open any kind of terminal or get your system to execute arbitrary code they can do damage. If you use SElinux you can prevent those kinds things from happening.

 

[LuckyTaxi]

our internals servers have it enabled by default. Most of the things I try to do on a daily basis wouldn't work until I turned off selinux. I asked the old sysadmin if i could turn it off and his reply was "no man, it blocks users from hacking the box." I told him no iptables will do that, selinux is more for internal users who have access to the box via ssh or something. 95% of the issues we were having had to do with selinux so after turning it off, i was able to do daily things such as ssh keyless entries and dns queries. i didn't find it worth my time and effort to play around with it.

 

[Nothinman]

Though from my understanding selinux is more to protect against internal attacks right? (ex: a user sshed in)

No, SELinux is used to compartmentalize access for everything. So apache can only access files in it's context, ssh in it's context, etc. It makes local and remote attacks more difficult because each process only has access to a small subset of things on the box.

I told him no iptables will do that, selinux is more for internal users who have access to the box via ssh or something.

The only way netfilter would even come remotely close to doing what SELinux does for remote users is if you blocked all traffic and then used a whitelist to let certain addresses in to certain ports but I really doubt that's a viable option. SELinux does so much more than netfilter that it's not even funny.

i didn't find it worth my time and effort to play around with it.

If you do ever get broken into and the old sysadmin can prove that SELinux would've stopped the attack, which will probably be the case, then I hope the time required to rebuild the box costs your company less than what it would have cost them for you to understand SELinux.

 

[n0cmonkey]

Disabling SELinux because you don't know how to use it == Security/system adminning, you're doing it wrong!

EDIT: And yes, I disable it because I'm lazy and uneducated.

For now.

 

[Crusty]

Originally posted by: n0cmonkey
Disabling SELinux because you don't know how to use it == Security/system adminning, you're doing it wrong!

Haven't seen your name around here in a while

 

[n0cmonkey]

Originally posted by: Crusty

Originally posted by: n0cmonkey
Disabling SELinux because you don't know how to use it == Security/system adminning, you're doing it wrong!

Haven't seen your name around here in a while

Busy at work, fed up with newbs.

 

[her209]

Originally posted by: n0cmonkey
EDIT: And yes, I disable it because I'm lazy and uneducated.

For now.

Hehe... me too.

 

[DarkThinker]

It's good to have SE-Linux running on your system, it's a nice second layer of security that you might not have otherwise, certainly puts a choke on malicious software, however, if you are lazy like our fellow n0cmonkey and or don't have the time / energy to go around your system on a relabeling safari fun, then disable it and get your system back and running without SE-Linux interrupting nearly everything you do.

I chose the relabeling route, it's sometimes tedious and time consuming, the selinux alert logs and or icon make things easier though.

 

[Nothinman]

Yea, it depends on the tradeoff you're willing to make for security. With SELinux properly setup it's virtually impossible to take over and do anything useful with a machine, but you've got to be prepared to deal with the problems that come along with that level of security.

 

[n0cmonkey]

Originally posted by: LuckyTaxi
...I told him no iptables will do that...

Checkpoint marketing team: 1
Admin education: 0