The Joys of SELinux on a server

Recent blog posts

Syndicate

Wed, 03/09/2008 - 12:30 — David Goodwin

Having heard much about SELinux over the last few years, I thought I'd finally make an effort to use it on two servers I've been setting up for a customer. My main desire to use it is because the customer has a fairly large code base, which is programmed in a number of different styles over a number of years by different developers. I'm sure there are vulnerabilities in the code.

On one server, once I got over general teething problems (e.g. if I mount a disk to /var/spool, I'll need to get it relabelled) it seemed to work fine - so I've left it to do it's thing.

On the other server, unfortunately, I need to install Zend Optimizer (despite it's name, it's not an optimizer for performance, more of a code obfuscation/encryption thing to stop someone stealing your "valuable" PHP source code).

Zend Optimizer doesn't play with SELinux, and annoyingly, despite doing, what I assume is the SELinux dance many times, it refused to initially work. On retrospect this seems to be because if you apply two SELinux custom modules, the second replaces the first. Thankfully there's this which does work.

Next I had to fix Munin/ethtool, but this was straight forward enough. Thankfully.

So, so far - it's taken me a number of hours to get around SELinux, so it had better be worth the effort!

Technorati Tags:

Linux

David Goodwin's blog

Comments

Fri, 05/09/2008 - 23:13 — Alex (not verified)

grSecurity, AppArmor

I'm partial to both of the above, particularly grSecurity. Well worth a look :)

Sat, 06/09/2008 - 06:42 — David Goodwin

root kits everywhere...

then of course there's http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/

Sun, 07/09/2008 - 22:34 — Alex (not verified)

Protect thy kernel!

.. and that highlights one of the main reasons I dislike SELinux with intense fury..

http://www.grsecurity.org/lsm.php
Quoting the important bits --

"Everyone please repeat the SELinux mantra: information flow graphs are important!
SELinux is a proven model! What? Kernel exploits? Oh, that's right, SELinux conveniently
leaves kernel exploits out of their "threat model," and no one questions it."

Wouldn't be so bad if that was even vaguely publicized. But oh no, instead we have a bazillion trolls all screaming "Our policy framework is harder to write stuff for, you need a rocket science degree, it *MUST* therefore be more secure than everything else. Pheeer us!". (or words to that general effect)

Other solutions provide flexibility, can be setup in 10 minutes, and provide sufficient protection in a wider range of areas rather than extreme protection in a limited niche. Things like ASLR really should be standard on all servers connected to the Internet, rather than a select few.

Mon, 08/09/2008 - 07:05 — David Goodwin

RHEL support?

somehow I doubt I can use those with/on RHEL?

(when I've spoken to them, they implied that changing the kernel would pretty much void any support the customer should/could get)

Worringly, I read your subject as "Protect thy KENNEL".... clearly I have dogs on the brain.

Tue, 09/09/2008 - 20:17 — Alex (not verified)

Support

.. would probably be well and truly voided ;) Dogs are good at protecting their kennels, you have a 'barkwall' followed by a 'reactive intrusion detection system' also known as /usr/sbin/bite!

Wed, 10/09/2008 - 05:56 — David Goodwin

So what breed do you run?

Mine's a slow labrador who can hardly manage to run for 20 minutes; no doubt you run something lighter and more mobile?

Wed, 10/09/2008 - 08:10 — David Goodwin

ultrasound gel

somehow I doubt I can use those with/on RHEL?
Next I had to fix Munin/ethtool, but this was straight forward enough. Thankfully.

David and Katherine Goodwin

Recent blog posts

Who's online

Recent comments

Syndicate