SELINUX - Why?

[Daniel J Walsh]

Timothy Murphy wrote:

>taharka wrote:
>
>  
>
>>>What I mean is, I ask "Why should I run selinux?" The answer
>>>then seems to be "We don't know, but if you don't bad things
>>>might happen to your system due to malicious programs."
>>>      
>>>
>
>  
>
>>If you're interested, there's an excellent read on selinux, in the
>>August issue of "Sys Admin Magazine". Fortunately, this article can be
>>read online at: http://www.samag.com/documents/s=9820/sam0508a/0508a.htm
>>:-) Might make things a little clearer for you ;-)
>>    
>>
>
>I read this article,
>and it does indeed seem to give a reasonably clear account
>of what is a rather complicated system (selinux).
>
>I don't personally think there is any serious danger of selinux
>introducing new vulnerabilities,
>(a) because the authors of selinux are likely to take much more care
>about such matters than the authors of other applications, and
>  
>
SELinux to this point has been additive.  IE We are not turning off 
other security measures on the system.   So DAC enforcment is still in 
effect.

>(b) there are hundreds, if not thousands, of applications on a Linux system,
>so the danger of any particular application causing security problems
>is negligibly small.
>  
>
That seems backwards to me.  As the number of applications increase the 
complexity of the system increases.  So the chance of a vulnerability 
increases.

>However, I am not convinced that it is sensible to run selinux
>on a small home network with three or four computers on it.
>The problems selinux causes are out of all proportion
>to the insurance it might supply.
>
>Selinux might make sense for a large system with hundreds of users,
>with a system administrator who has time to devote to such matters.
>
>There are two issues which I have yet to be convinced about:
>
>1. None of the documentation I have read gives any concrete example
>of an intrusion that has actually occurred
>and which might have been stopped by selinux.
>All the examples seem to be purely theoretical.
>
>2. If someone actually broke into my system,
>it seems to me that they could do a large amount of damage,
>eg destroying or altering my personal files,
>regardless of what security measures I had taken.
>
>It is rather like someone breaking into your house.
>You can hide your valuables, certainly,
>which I would take to be equivalent to encrypting important data.
>But there is not much point in locking the drawers in your desk.
>
>  
>
The analogy I would use is that all the doors and windows of your house 
now lead to vaults.  Not the enterior of the house.  So an intruder 
might gain access to the vault where the vulnerability existed and would 
have access to the information in the
vault.  But not other vaults and the rest of the house. 

Targeted policy goal is to protect Userspace from system space.  So we 
try to lock down all of system space into individual vaults or 
compartments.  So if someone breaks into you personal apache web 
server/ftp server and gains a shell account.   They can not gain access 
to other parts of the system.  With targeted policy, userspace should be 
unaffected, so it you shouldn't really notice SELinux is running.

>One last point, which leads me to favour selinux.
>I believe selinux has been introduced largely as a Linux "selling point",
>the idea being that one could now claim
>Linux is far more secure than Windows.
>Personally, I'm all in favour of this,
>and would be willing to put up with the inconvenience of selinux
>in order to further this argument.
>
>
>
>
>
>
>  
>


--