Re: [gentoo-user] NSA SELinux kernel support
On 01/04/2015 09:47 AM, Sid S wrote: > >> SELinux is the only one I've had a bit of experience with - I run CentOS >> (SELinux is enabled by default) for some personal-use-only services that >> I want to run without dealing with Gentoo. My first step in a CentOS >> install is to disable SELinux (and the firewall, hehe) to avoid dealing >> with the pain of wading through documentation for hours on end. > http://stopdisablingselinux.com/ - your distribution probably comes > with policies for everything you want to install, anyway... > Sid, thanks again. I've just remembered a couple public-facing servers I administer that run CentOS and I think it's about time to spend an hour or two learning SELinux for at least the one that runs Redmine. Alec
Re: [gentoo-user] NSA SELinux kernel support
> ...until it doesn't, and then what? The comment was slightly off-topic and mainly pointed towards his decision to disable SELinux on a distribution which had enabled it by default. On Gentoo, if you enable SELinux, see all of the AVCs and decide to nope right out of there, you are making an informed decision (by virtue of needing to learn a great deal about SELinux to set it up in the first place). > I could have half-assed it with audit2allow, but security-wise that's a > cop-out. I'm not sure it's a complete cop-out as long as you read the suggestions audit2allow is making. The policy you end up with will not be ideal and will certainly be full of holes, but at least you are somewhat aware of the risk a given service is to your system. > I'd like to find a middle ground, and it might be Targeted mode (I was > attempting Strict). Or, it might be a different system like AppArmor. Yeah, my ending suggestion was to run in targeted mode (if you wanted to bother with SELinux at all) but that mainly serves as a workaround for Desktop-oriented stuff. Containers or virtualization are also options.
Re: [gentoo-user] NSA SELinux kernel support
Sid S writes: > your distribution probably comes > with policies for everything you want to install, anyway... ...until it doesn't, and then what? I attempted a full conversion a few months back, and was ready to make some commitment to getting SELinux to work on my personal laptop. I got as far as Permissive mode, with a firehose of access violations in the auditd log. I had written a couple of scrappy policies to authorize a few small one-off violations, with the help of audit2allow, but the firehose was still gushing. I use offlineimap for fetching mail, which doesn't have a policy. Now, if I ever wanted to switch from Permissive to Enforcing, I was required, as an absolute SELinux n00b, to write a full policy for a non-trivial mail application. This is when I turned around. I could have half-assed it with audit2allow, but security-wise that's a cop-out. Inevitably, there will always be some program I want to use with no existing policy, and I'll constantly have this problem. I realized that my personal workstation is a place I like to try lots of software (don't we all like that about Linux?), and SELinux can be a big wet blanket on the fun at any time. I'd like to find a middle ground, and it might be Targeted mode (I was attempting Strict). Or, it might be a different system like AppArmor. -- Erik Mackdanz
Re: [gentoo-user] NSA SELinux kernel support
On 01/04/2015 09:47 AM, Sid S wrote: > >> SELinux is the only one I've had a bit of experience with - I run CentOS >> (SELinux is enabled by default) for some personal-use-only services that >> I want to run without dealing with Gentoo. My first step in a CentOS >> install is to disable SELinux (and the firewall, hehe) to avoid dealing >> with the pain of wading through documentation for hours on end. > http://stopdisablingselinux.com/ - your distribution probably comes > with policies for everything you want to install, anyway... > > > Thanks for this link - I'll watch that video later this afternoon I think. Alec
Re: [gentoo-user] NSA SELinux kernel support
> I was wondering if there was any harm in disabling the NSA SELinux support > in my gentoo-sources based kernel. There is no harm, but if you were interested a lot of packages come with policies by default. Currently there is no support for SELinux in Gentoo for the vast majority of desktop applications. It is a little bit of work to get anything nonfunctional working. There are additional modes where you can simply run your user as unconfined and any services will be restricted by SELinux. grsecurity's RBAC is an alternative where you simply let it generate a policy based on what it sees you use. Notably, Fedora and CentOS enable SELinux by default. > SELinux is the only one I've had a bit of experience with - I run CentOS > (SELinux is enabled by default) for some personal-use-only services that > I want to run without dealing with Gentoo. My first step in a CentOS > install is to disable SELinux (and the firewall, hehe) to avoid dealing > with the pain of wading through documentation for hours on end. http://stopdisablingselinux.com/ - your distribution probably comes with policies for everything you want to install, anyway...
Re: [gentoo-user] NSA SELinux kernel support
On Fri, Jan 2, 2015 at 10:03 AM, Marc Stürmer wrote: > Am 01.01.2015 um 18:01 schrieb Alexander Kapshuk: > > I was wondering if there was any harm in disabling the NSA SELinux >> support in my gentoo-sources based kernel. >> > > It depends on your usage case (desktop or server) and grade of personal > paranoia. > > I know a few administrators how think that enabling SELinux or similar > stuff (e.g. like AppArmor) should be today mandatory if installing servers > on the internet. > > Then again your mileage may vary. > > Thanks for you input.
Re: [gentoo-user] NSA SELinux kernel support
Am 01.01.2015 um 18:01 schrieb Alexander Kapshuk: I was wondering if there was any harm in disabling the NSA SELinux support in my gentoo-sources based kernel. It depends on your usage case (desktop or server) and grade of personal paranoia. I know a few administrators how think that enabling SELinux or similar stuff (e.g. like AppArmor) should be today mandatory if installing servers on the internet. Then again your mileage may vary.
Re: [gentoo-user] NSA SELinux kernel support
On Thu, Jan 1, 2015 at 7:25 PM, Alec Ten Harmsel wrote: > Context for my replies - I only use Gentoo in a personal setting. > > On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: > > I was wondering if there was any harm in disabling the NSA SELinux > > support in my gentoo-sources based kernel. > > I've never had SELinux enabled in my gentoo kernels. > > > > > The kernel config help for the NSA SELinux options suggests that > > having them enabled is optional. > > Yup, totally is. > > > > > If I understand it correctly, having these options on in the kernel > > config alone does not imply that my system is using NSA SELinux. > > According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch > > of other things needs to be taken care of to have SELinux on. > > That's correct - I don't know what software/config one needs, but > SELinux is enabled/disabled/configured in userspace. > > > > > Is SElinux something that the folk here would recommend using on a > > personal, rather than a production system? Or would you recommend > > using something else, if anything at all? > > > > Thanks. > > > > I would recommend using nothing. From what little I understand about > security-related stuff, SELinux constrains the resources available to > programs (sockets, files, etc.) so vulnerabilities in various server > programs don't lead to an entire system being compromised. > > SELinux is the only one I've had a bit of experience with - I run CentOS > (SELinux is enabled by default) for some personal-use-only services that > I want to run without dealing with Gentoo. My first step in a CentOS > install is to disable SELinux (and the firewall, hehe) to avoid dealing > with the pain of wading through documentation for hours on end. > > The one use case that seems pretty interesting for personal use is > something I know for sure Ubuntu does - an AppArmor profile for all of > the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of > the same things as SELinux, and the browser profiles guard against rogue > JavaScript from doing bad things. > > If I got anything wrong security-wise, I'm sorry, and hopefully someone > corrects it quickly. > > Hope this helps, > > Alec > > Understood. Thanks.
Re: [gentoo-user] NSA SELinux kernel support
Context for my replies - I only use Gentoo in a personal setting. On 01/01/2015 12:01 PM, Alexander Kapshuk wrote: > I was wondering if there was any harm in disabling the NSA SELinux > support in my gentoo-sources based kernel. I've never had SELinux enabled in my gentoo kernels. > > The kernel config help for the NSA SELinux options suggests that > having them enabled is optional. Yup, totally is. > > If I understand it correctly, having these options on in the kernel > config alone does not imply that my system is using NSA SELinux. > According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch > of other things needs to be taken care of to have SELinux on. That's correct - I don't know what software/config one needs, but SELinux is enabled/disabled/configured in userspace. > > Is SElinux something that the folk here would recommend using on a > personal, rather than a production system? Or would you recommend > using something else, if anything at all? > > Thanks. > I would recommend using nothing. From what little I understand about security-related stuff, SELinux constrains the resources available to programs (sockets, files, etc.) so vulnerabilities in various server programs don't lead to an entire system being compromised. SELinux is the only one I've had a bit of experience with - I run CentOS (SELinux is enabled by default) for some personal-use-only services that I want to run without dealing with Gentoo. My first step in a CentOS install is to disable SELinux (and the firewall, hehe) to avoid dealing with the pain of wading through documentation for hours on end. The one use case that seems pretty interesting for personal use is something I know for sure Ubuntu does - an AppArmor profile for all of the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of the same things as SELinux, and the browser profiles guard against rogue JavaScript from doing bad things. If I got anything wrong security-wise, I'm sorry, and hopefully someone corrects it quickly. Hope this helps, Alec
[gentoo-user] NSA SELinux kernel support
I was wondering if there was any harm in disabling the NSA SELinux support in my gentoo-sources based kernel. The kernel config help for the NSA SELinux options suggests that having them enabled is optional. If I understand it correctly, having these options on in the kernel config alone does not imply that my system is using NSA SELinux. According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch of other things needs to be taken care of to have SELinux on. Is SElinux something that the folk here would recommend using on a personal, rather than a production system? Or would you recommend using something else, if anything at all? Thanks.