The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.Fact: Large linux shops (RedHat, IBM, etc) often bid on government contracts which contain a requirement for enhanced security. Fact: NSA employees often evaluate the security system provided by vendors bidding on these large contracts. Fact: NSA employees wrote virtually all of SELINUX. What do you think the odds are of getting a passing grade if you provide SELINUX as your enhanced security? Here we have my first truth: SELINUX exists primarily to get government contracts, not to enhance security or provide any benefit for customers. Any such benefits are entirely secondary to the primary concern of getting contracts :-). Fact: Initial releases of SELINUX were an unmitigated disaster, and subsequent releases improved only slightly. The difference between a system with SELINUX enabled and a completely inert block of concrete were hard to discern (of course, to a security geek, a completely inert block of concrete needs more work to be a really secure system). Fact: SELINUX only began to be accepted when the setroubleshoot tool came along. And what does setroubleshoot do? It makes it simple to say, "Oh, for God's sake, just go ahead and allow that program to do whatever." Does it analyze the code to insure the behavior in question is valid for this case? (Nope). Does it improve the security of your system? (Nope). Does it simply make SELINUX utterly pointless by eventually allowing every questionable behavior of every questionable program on the system? (Yep). Does it waste vast quantities of the time it takes administrators to interact with setroubleshoot to allow all that questionable behavior? (Yep). Here we have my second truth: Intelligent administrators can save all the time it takes to allow all those exceptions individually by simply turning off SELINUX to begin with: In /boot/grub/grub.conf add the selinux=0 kernel parameter, and for good measure (just to be belt and suspenders) edit /etc/selinux/config to say SELINUX=disabled. (If you are running a new enough system to use grub2, the file you need to change is /boot/grub2/grub.cfg, and you may also want to check /etc/default/grub). And a final note for the paranoid: Do you really want a library written by the NSA loaded in the address space of every program running on your system? (Of course, you get that even if you disable SELINUX, in fact, that library can tell you disabled SELINUX - better hope that doesn't make it mad - the only way to eradicate SELINUX completely is do something like switch to the gentoo linux distribution and setup your source build options so you always disable SELINUX for all builds.) P.S. One of the competing technologies for getting government contracts is AppArmor (found mostly on SUSE systems). Rest assured, it is even more worthless than SELINUX. |
Game of Linux Entry | Game of Linux Site Map | Tom's Fabulous Web Page |