dumb question / idea

[Stephen Smalley]

On Tue, 2004-09-14 at 04:11, josh baverstock wrote:
> I must first admit that I am new to linux, I am not qualified to suggest a 
> feature, so please consider this a question.
> 
> IF its true that when SELinux is fully enabled the restrictions can cause 
> some problems when programs do things they are supposed to do but normally 
> don't, THEN I have an idea.
> 
> What if an intrusion detection system were to inform the SELinux server that 
> an intrusion is likely happening, which triggers a change from 
> non-enforcement mode to enforcement mode?
> 
> Would this "raise the shields" method be useful for situations where 
> enforcement mode just isnt right, or is this more of a fundamental 
> misunderstanding on my part of how SELinux works...?

Switching back and forth between permissive mode and enforcing mode in
this manner is not a good idea, as:
- there is no SELinux protection at all while in permissive mode (and
the IDS trigger to switch to enforcing mode may be processed too late to
prevent the attack),
- the lack of any enforcement will likely cause your system to migrate
into a state of operation while running in permissive mode that will
break in spectacular fashion when you are suddenly switched into
enforcing mode by some external event, in which case your IDS suddenly
becomes a vector for an easy DOS attack.

It would be better to instead define a policy that matches your security
goals in the first place, even if they are modest, and run enforcing all
the time with that policy (e.g. see the targeted policy in FC3/devel). 
You could also try to implement multiple "levels" of security in a
single policy using the runtime policy boolean support, and have your
IDS trigger well-defined changes in the policy state by changing one or
more policy booleans in response to events.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency