BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[BackupPC-users] [OT] SELinux, firewalls and such ...

2009-06-26 19:58:26
Subject: [BackupPC-users] [OT] SELinux, firewalls and such ...
From: Holger Parplies <wbppc AT parplies DOT de>
To: Les Mikesell <lesmikesell AT gmail DOT com>
Date: Sat, 27 Jun 2009 01:52:32 +0200 
Hi,

Les Mikesell wrote on 2009-06-26 13:05:51 -0500 [Re: [BackupPC-users] Having 
Several Issues]:
> Admiral Beotch wrote:
> > [...] SELinux is an awesome security framework and should never be
> > disabled. It's like a firewall for processes. One wouldn't disable a
> > firewall because it kept an required application from working, you'd
> > figure out how to unblock the traffic.

yes, but do you have a firewall enabled on all hosts in your intranet, or
rather only where it makes sense (like on hosts facing the internet)? I like
your analogy, because it points out the complexity as well as the advantages.
You don't put a firewall where it's not needed, though you *could* work out
how to run NFS through a local firewall on a workstation, for example.

Furthermore, a firewall on a non-routing machine is just an additional layer
of protection against misconfiguration. A host running no services (read: no
open ports) gains nothing from blocking incoming traffic. You can block
outgoing traffic only as far as it is distinguishable from something you
legitimately need (meaning you probably wouldn't block HTTP, so malicious
programs would have that loophole, too). You can extend this notion to a
complete intranet: if every machine is set up in a secure way, the firewall
offers no additional protection. Since that is very hard or impossible to
guarantee, you put a firewall between your intranet and the internet. *But:*
you should never forget that a firewall is not magic. If you allow access to
a vulnerable application through a firewall, the application will be no less
vulnerable. If you forget that, the firewall is actually *doing harm* by
giving you a false sense of security.

> > The same should go for SELinux.

Thank you for supplying me with this quote :-).

> > If a service or account 
> > gets compromised or abused, SELinux will keep it sandboxed so it can't 
> > affect other parts of the system.
> 
> And my stance is the opposite.  The standard unix security model wasn't 
> broken to begin with.

This I agree with.

> SELinux adds another layer that is only necessary 
> if you got something wrong in the first place.

I'm not sure I fully agree with that. I'm not very familiar with SELinux, but
I have put quite some work into setting up Grsecurity on some hosts (quite a
while back, but I'll need to revisit that soon). I believe SELinux may in fact
give you some possibilities the standard UNIX security model doesn't, so it
may be possible to narrow down permissions further than you otherwise could.
And this may be necessary due to processes behaving in a different manner than
they were supposed to - due to bugs or design flaws. It's not a bad idea to
protect against any arbitrary bug by giving your process the least priviledge
it needs (if it *never* needs to read /etc/passwd, it might as well not be
allowed to, though /etc/passwd needs to be world readable). It's just quite
some work and rather inflexible.

> Now, if you can't get 
> the simple, easy to understand thing right, what are the odds that 
> you'll do better with one that is so complicated that even the 
> distribution developers have spent years on and still haven't perfected? 

This, on the other hand, is an important point. Like the firewall, if it only
gives you a false sense of security, it is doing harm rather than good. If
your distribution gives you a secure SELinux configuration for free, then
fine. If you need to tweak things, and you end up doing something you don't
fully understand, just to get things working, then you are better off not
relying on this "additional protection" in any way - you may have messed up
the whole system. So why maintain it?

> If you have time to learn and tune both models perfectly, then they 
> shouldn't hurt anything, but so far I've always had something better to 
> do and considered it more productive to focus on the simple model.

Though I find SELinux very interesting, I have so far also had more urgent
(I'm not sure about important ...) things to do.

Regards,
Holger

------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] Having Several Issues, Jeffrey J. Kosowsky
Next by Date:  Re: [BackupPC-users] Amazon S3 and/or EC2 or other off-site storage ideas, Tino Schwarze
Previous by Thread:  Re: [BackupPC-users] Having Several Issues, Les Mikesell
Next by Thread:  Re: [BackupPC-users] Having Several Issues, Jeffrey J. Kosowsky
Indexes:  [Date] [Thread] [Top] [All Lists]