| View previous topic :: View next topic |
| Should I try switching profiles to SElinux? |
| Yes, more secure |
|
27% |
[ 3 ] |
| No, too much of a hassle |
|
72% |
[ 8 ] |
|
| Total Votes : 11 |
|
| Author |
Message |
bulletbill22
n00b
Joined: 15 Oct 2022
Posts: 34
|
 Posted: Thu Jul 11, 2024 6:54 pm Post subject: Thoughts on SElinux? |
 |
|
I have been considering switching my profile to SElinux for additional security on one of my servers. I've never tried to use it before because I have only heard bad things, but especially that it has impossibly opaque logs / error messages / debugging tools. The only people who promote it don't usually offer really compelling reasons to use it beyond a general "its more secure", but if its that much of a hassle to configure then besides being less secure (after I disable it) its also going to be a hassle to debug (after it kills and buries ssh or something). But maybe its gotten easier to use in the last 2-3 years?
From what I understand, the additional security features will be mildly useful for my case. I've also heard that it actually increases attack surface considering its origins.
Is it worth trying to switch to SElinux? |
|
| Back to top |
|
 |
Leonardo.b
Guru
Joined: 10 Oct 2020
Posts: 307
|
| Posted: Thu Jul 11, 2024 8:49 pm Post subject: |
|
|
| I believ SELinux was intentionally created overcomplicated, in order to promote support business. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4642
Location: Bavaria
|
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20218
|
| Posted: Thu Jul 11, 2024 10:22 pm Post subject: |
|
|
It's easier on a new "server" (no GUI) than on an existing server, and probably most difficult on an existing desktop that you want to continue to use while trying to enable selinux.
selinux uses enforcing moe and permissive mode. Permissive mode will "tell" you what policies you need to enable to allow "the things you're doing" to work in enforcing mode.
The main challenge with learning selinux is that it isn't in common use, and because it is security related, few want to discuss their poor security posture ;). So it requires a lot of reading about something you aren't familiar with, and what you really want is "how do I turn it on and make it work?"
So start with a VM, try and get a simple server working. Maybe that's an http server, and rsync server, or just an ssh server. SSH might be the best to start with, but I'd try to find the simplest server possible.
Maybe even netcat (I think this should work?) | Code: | | nc -l <ip address> <port #> |
If you have a spare computer or can use a VM, that should give you enough of an idea. Once you write the policies, they should be reusable on similarly built systems.
The reason this is harder on an existing system is because once you enable enforcing, it enforces everything. So test on a separate machine / VM, create working policies, then apply them to an existing system.
Also, learn how to disable enforcing mode from the kernel boot command line.
(I voted "other" / no vote)
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
bulletbill22
n00b
Joined: 15 Oct 2022
Posts: 34
|
| Posted: Fri Jul 12, 2024 6:48 am Post subject: |
|
|
| Quote: | | selinux uses enforcing moe and permissive mode. Permissive mode will "tell" you what policies you need to enable to allow "the things you're doing" to work in enforcing mode. |
So I can switch to SElinux, leave it in permissive mode forever while I chip away at all the bugs it thinks I have, then when it stops giving me errors I can turn it on and hopefully it won't kill my sshd? I feel like that is a pretty good way to get introduced to it. I'm sure I will understand it by the time I am done debugging errors.  |
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 57
|
| Posted: Fri Jul 12, 2024 7:43 am Post subject: Re: Thoughts on SElinux? |
|
|
| bulletbill22 wrote: | | The only people who promote it don't usually offer really compelling reasons to use it beyond a general "its more secure" |
What else could they say ?
Why use a password ? " its more secure"
There is another reason : it really helps to understand interactions between programs on a server (files permissions, sockets, caps ...). A good opportunity to learn.
| bulletbill22 wrote: | | So I can switch to SElinux, leave it in permissive mode forever while I chip away at all the bugs it thinks I have, then when it stops giving me errors I can turn it on and hopefully it won't kill my sshd? |
Yes. Be careful to keep a local user in the unconfined domain.
| Quote: | | Should I try switching profiles to SElinux ? |
Clearly yes on a server. |
|
| Back to top |
|
|
lars_the_bear
Apprentice
Joined: 05 Jun 2024
Posts: 248
|
| Posted: Fri Jul 12, 2024 8:00 am Post subject: |
|
|
| pjp wrote: |
The main challenge with learning selinux is that it isn't in common use [...] |
That hasn't been my experience. All my Linux customers run SELinux in enforcing mode, because it's the 'right thing to do' -- in the way that not writing your password on a post-it note is the right thing to do. That's not to say that they understand it, or that I understand it fully either. It's fiddly to use (in my experience), but it allows a fine-grained control over which processes/users can do what, to what, that ordinary Linux permissions do not.
On the computers I use at home for business, I also run SELinux in enforcing mode, for the same reason I use whole-disk encryption: it's expected of me. Customers won't trust me with their data unless I do these things.
I confess, though, that I don't use it on my private computers, because it's a hassle  I'd be more inclined to use it on a system that is exposed to the public Internet, although I suspect that the benefit it offers is in proportion to the time you're willing to spend configuring it.
BR, Lars. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54509
Location: 56N 3W
|
| Posted: Fri Jul 12, 2024 9:19 am Post subject: |
|
|
bulletbill22,
SELinux is to prevent untrusted users doing what they are not supposed to do.
In an environment where you have untrusted users, it can help with some threats.
If you are running a server with untrusted users, you have lost anyway.
That's doing is wrong.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
lars_the_bear
Apprentice
Joined: 05 Jun 2024
Posts: 248
|
| Posted: Fri Jul 12, 2024 9:51 am Post subject: |
|
|
| NeddySeagoon wrote: |
SELinux is to prevent untrusted users doing what they are not supposed to do.
|
I would argue that SELinux is better at preventing unreliable applications doing what they are not supposed to. As you say, there's a limit to what you can do about untrustworthy users.
Some applications -- webservers are a particular example -- are exposed to a very hostile environment. If there are bugs or vulnerabilities in a webserver, sooner or later they are found. When they are found, we want our webservers to have as little access to the rest of the system as is practicable.
There are other ways to accomplish this, than using SELinux. However, SELinux is one way to do it. Distributions like RHEL -- and probably others -- often have default webserver configuration that is compatible with strict SELinux policies.
Any software that faces the public Internet has to be regarded as a target these days. But some businesses have large-scale private WANs that are almost as hostile as the Internet.
In general, if I need to use SELinux, I will go for a Linux distribution where it is a first-class feature, enabled by default, and with SELinux-compliant packages available. My experience is that setting it up post-hoc is a real pain.
BR, Lars. |
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 57
|
| Posted: Fri Jul 12, 2024 10:06 am Post subject: |
|
|
| NeddySeagoon wrote: | | If you are running a server with untrusted users, you have lost anyway. |
How get a server with only "trusted" users and for which selinux would be useless ? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22181
|
| Posted: Fri Jul 12, 2024 1:29 pm Post subject: |
|
|
If a user is supposed to be able to get root at will, that user is trusted. If all users with shell access meet that definition, then they are all trusted. Some servers are like this: only selected members of the IT department have any shell access at all, and those that are given shell access are also given full sudo, because their job responsibilities require being able to completely reconfigure the server at will, to suit the business's whim of the day. This may not be a good practice in the larger sense, but it does happen, and if the set of people with this access is small enough (and they have good reason not to abuse it), it can work.
As for whether SELinux is useless in that context, it depends on what the applications running on that machine are supposed to do, and whether they are simple enough that you can say you trust that they cannot misbehave. Some container-based designs can satisfy this without SELinux. If the container is so thoroughly stripped down that even if the application in the container has a remote code execution bug, there's nothing interesting for the attacker to do with that code execution, then SELinux can add little or no value on top of that. On the other extreme, the pre-container way of running servers, where remote code execution lets the attacker run anything from /usr/bin, could benefit greatly from an SELinux policy that disallows running anything interesting. |
|
| Back to top |
|
|
lars_the_bear
Apprentice
Joined: 05 Jun 2024
Posts: 248
|
| Posted: Fri Jul 12, 2024 3:00 pm Post subject: |
|
|
| Hu wrote: | | Some container-based designs can satisfy this without SELinux. If the container is so thoroughly stripped down that even if the application in the container has a remote code execution bug, there's nothing interesting for the attacker to do with that code execution, then SELinux can add little or no value on top of that. |
The problem here is that a container that is so impoverished is unserviceable. If you need to investigate a problem with the containerized application, you can't, because there's no darned tools to do it with.
As a result, in my work I find a tension between stripping down the container, and allowing some tools for troubleshooting. And if you allow tools for troubleshooting, you potentially assisting an intruder, with a remote code execution flaw in hand, to break out of the container.
I would use enforcing SELinux on the host of a containerized application that is Internet-facing. Of course, whether you would need to do such a thing depends on how paranoid you are. Or, more likely, how paranoid your clients are.
BR, Lars. |
|
| Back to top |
|
|
bulletbill22
n00b
Joined: 15 Oct 2022
Posts: 34
|
| Posted: Fri Jul 12, 2024 3:39 pm Post subject: |
|
|
| Quote: | | SELinux is to prevent untrusted users doing what they are not supposed to do. |
| Quote: | | I would argue that SELinux is better at preventing unreliable applications doing what they are not supposed to. As you say, there's a limit to what you can do about untrustworthy users. |
In my particular case, this server is running a variety of apps that may have holes in them. I recall once a bug in wordpress that would allow you to upload php scripts in place of images, then you could run any php script on the host that you wanted. Basically, I don't know what vulnerabilities a minecraft server inside of docker could have in them and want to keep them isolated from the other services the server provides. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20218
|
| Posted: Fri Jul 12, 2024 4:06 pm Post subject: |
|
|
| bulletbill22 wrote: | | So I can switch to SElinux, leave it in permissive mode forever while I chip away at all the bugs it thinks I have, then when it stops giving me errors I can turn it on and hopefully it won't kill my sshd? I feel like that is a pretty good way to get introduced to it. I'm sure I will understand it by the time I am done debugging errors. :lol: |
Not quite. At least I don't think so. I believe permissive mode tells you whats happening in an "informational" logging style. It isn't an error, so I don't believe they go away when in permissive mode. I may be mistaken though, so you'd have to test. Unless of course someone else knows.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20218
|
| Posted: Fri Jul 12, 2024 4:20 pm Post subject: |
|
|
| lars_the_bear wrote: | | pjp wrote: |
The main challenge with learning selinux is that it isn't in common use [...] |
That hasn't been my experience. All my Linux customers run SELinux in enforcing mode, because it's the 'right thing to do' -- in the way that not writing your password on a post-it note is the right thing to do. That's not to say that they understand it, or that I understand it fully either. It's fiddly to use (in my experience), but it allows a fine-grained control over which processes/users can do what, to what, that ordinary Linux permissions do not. |
When I was trying to work with it a number of years ago, the resources available to get it working were not great. So either the situation has changed since then, or not many of those using it are forthcoming with their experiences. I loosely correlate this with the search terms reported by search engines. More searches for Linux probably means more people using Linux, than say BSD or whatever. But, when it comes to security, it seems to be a kind of Fight Club (disclosure, haven't seen it). Consider the plethora of security guides / blogs / whatevers that, for demonstration purposes, show how to do something as root, when in practice, that's not how you're supposed to do it. Except no one ever demonstrates it "properly."
To me, using anything and not understanding it is a problem waiting to happen (see my previous comment about learning how to disable selinux it before booting).
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20218
|
| Posted: Fri Jul 12, 2024 4:38 pm Post subject: |
|
|
| lars_the_bear wrote: | | I would use enforcing SELinux on the host of a containerized application that is Internet-facing. Of course, whether you would need to do such a thing depends on how paranoid you are. Or, more likely, how paranoid your clients are. |
One of the potential uses of selinux is to prevent anyone from using root and only allowing root to do predetermined activities. And yes, when I was expected to respond in the middle of the night, not having root access was infuriating. That wasn't an selinux situation, and I could get it, but Extra Steps. But hey, at least that regulation prevented any subsequent breaches and identity theft.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
lars_the_bear
Apprentice
Joined: 05 Jun 2024
Posts: 248
|
| Posted: Fri Jul 12, 2024 6:55 pm Post subject: |
|
|
| pjp wrote: | Consider the plethora of security guides / blogs / whatevers that, for demonstration purposes, show how to do something as root, when in practice, that's not how you're supposed to do it. Except no one ever demonstrates it "properly."
|
Another example, I suppose, is all the blogs/sites showing how to set things up on Kubernetes, assuming that the reader has full cluster admin rights. I confess to being guilty of this myself. It's a combination of laziness, and not wanting to complicate things more than they already are.
I think Red Hat's SELinux documentation is reasonably thorough, even the stuff you don't need to be a customer of theirs to see. But, of course, it's tailored to their specific flavour or Linux. I think it's unlikely you'll find a lot of public documentation that deals with the specifics of hardening production installations. I guess that's because the people with the skills to provide that kind of information want instead to be paid for setting it up for you. I'm not sure it's Fight Club so much as the attitude you get, when you work with profoundly paranoid customers with lots and lots of money.
I've been on commercial training for SELinux, so I know there are people who understand it really well. My own knowledge has never been more than superficial. Still, I've seen how effective it can be in expert hands. How effective it is in not-very-expert hands like mine, I'm not sure.
BR, Lars. |
|
| Back to top |
|
|
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 47
|
| Posted: Sat Jul 13, 2024 2:54 am Post subject: |
|
|
I've read the entire official manual and I can say it's not that complicated, it might seem so at first,
maybe even overly complicated. Though still, you should first of all define a threat model for yourself
just because it's easier to think of defenses afterwards. SELinux only really shines when a server
has users that get some form of file access or when the server runs multiple services or
maybe containers/VMs that you want isolated for some reason or another. If you don't
expected untrusted access from the outside world, then you can do it just for fun, it's
your stuff. Although, if you're not very well familiar with it, then it may be
a bad idea to do it on the bare metal. Try it out in a VM first or if you have a spare pc
configure another server and try it out there. Also, SELinux is quite tough to deal with
when you have applications that don't internally support it (i.e. minecraft, afaik). |
|
| Back to top |
|
|
Moonboots
Apprentice
Joined: 02 Dec 2006
Posts: 164
|
| Posted: Sat Jul 13, 2024 4:44 pm Post subject: |
|
|
Just before the whole xz-utils saga i cloned my existing gnome DE to another partition on my hard drive.
I naively chose the "targeted" setup and changed to the nouveau driver thinking it would make things easier
I was struggling to find a way to get pass the black screen no keyboard/mouse to login into GDM, when i decided to wipe
the hard drive completely to avoid any possible Ubuntu beta contamination.
I'm ready to give it another go with a similar set-up ie a working non-Selinux Gentoo setup to fall back to
A running Fedora workstation install is always a source of hope and reference, but I'm under no illusion that it is a
long term side project. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Gentoo Chat
