NSA SELinux kernel support

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

NSA SELinux kernel support

Alexander Kapshuk
I was wondering if there was any harm in disabling the NSA SELinux support in my gentoo-sources based kernel.

The kernel config help for the NSA SELinux options suggests that having them enabled is optional.

If I understand it correctly, having these options on in the kernel config alone does not imply that my system is using NSA SELinux. According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch of other things needs to be taken care of to have SELinux on.

Is SElinux something that the folk here would recommend using on a personal, rather than a production system? Or would you recommend using something else, if anything at all?

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Alec Ten Harmsel
Context for my replies - I only use Gentoo in a personal setting.

On 01/01/2015 12:01 PM, Alexander Kapshuk wrote:
> I was wondering if there was any harm in disabling the NSA SELinux
> support in my gentoo-sources based kernel.

I've never had SELinux enabled in my gentoo kernels.

>
> The kernel config help for the NSA SELinux options suggests that
> having them enabled is optional.

Yup, totally is.

>
> If I understand it correctly, having these options on in the kernel
> config alone does not imply that my system is using NSA SELinux.
> According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch
> of other things needs to be taken care of to have SELinux on.

That's correct - I don't know what software/config one needs, but
SELinux is enabled/disabled/configured in userspace.

>
> Is SElinux something that the folk here would recommend using on a
> personal, rather than a production system? Or would you recommend
> using something else, if anything at all?
>
> Thanks.
>

I would recommend using nothing. From what little I understand about
security-related stuff, SELinux constrains the resources available to
programs (sockets, files, etc.) so vulnerabilities in various server
programs don't lead to an entire system being compromised.

SELinux is the only one I've had a bit of experience with - I run CentOS
(SELinux is enabled by default) for some personal-use-only services that
I want to run without dealing with Gentoo. My first step in a CentOS
install is to disable SELinux (and the firewall, hehe) to avoid dealing
with the pain of wading through documentation for hours on end.

The one use case that seems pretty interesting for personal use is
something I know for sure Ubuntu does - an AppArmor profile for all of
the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of
the same things as SELinux, and the browser profiles guard against rogue
JavaScript from doing bad things.

If I got anything wrong security-wise, I'm sorry, and hopefully someone
corrects it quickly.

Hope this helps,

Alec

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Alexander Kapshuk
On Thu, Jan 1, 2015 at 7:25 PM, Alec Ten Harmsel <[hidden email]> wrote:
Context for my replies - I only use Gentoo in a personal setting.

On 01/01/2015 12:01 PM, Alexander Kapshuk wrote:
> I was wondering if there was any harm in disabling the NSA SELinux
> support in my gentoo-sources based kernel.

I've never had SELinux enabled in my gentoo kernels.

>
> The kernel config help for the NSA SELinux options suggests that
> having them enabled is optional.

Yup, totally is.

>
> If I understand it correctly, having these options on in the kernel
> config alone does not imply that my system is using NSA SELinux.
> According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch
> of other things needs to be taken care of to have SELinux on.

That's correct - I don't know what software/config one needs, but
SELinux is enabled/disabled/configured in userspace.

>
> Is SElinux something that the folk here would recommend using on a
> personal, rather than a production system? Or would you recommend
> using something else, if anything at all?
>
> Thanks.
>

I would recommend using nothing. From what little I understand about
security-related stuff, SELinux constrains the resources available to
programs (sockets, files, etc.) so vulnerabilities in various server
programs don't lead to an entire system being compromised.

SELinux is the only one I've had a bit of experience with - I run CentOS
(SELinux is enabled by default) for some personal-use-only services that
I want to run without dealing with Gentoo. My first step in a CentOS
install is to disable SELinux (and the firewall, hehe) to avoid dealing
with the pain of wading through documentation for hours on end.

The one use case that seems pretty interesting for personal use is
something I know for sure Ubuntu does - an AppArmor profile for all of
the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of
the same things as SELinux, and the browser profiles guard against rogue
JavaScript from doing bad things.

If I got anything wrong security-wise, I'm sorry, and hopefully someone
corrects it quickly.

Hope this helps,

Alec


Understood. Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

James-2
In reply to this post by Alexander Kapshuk
Alexander Kapshuk <alexander.kapshuk <at> gmail.com> writes:


> Is SElinux something that the folk here would recommend using on a
> personal, rather than a production system? Or would you recommend
> using something else, if anything at all?

Difficult questions with no simple answer. Selinux is used in more places
than routine linux installations. Here is a bit of reading
on SeLinux, it is a sub-project of the Hardened project here at Gentoo and
it is very robust, but time consuming.


hth,
James

http://wiki.gentoo.org/wiki/SELinux

http://wiki.gentoo.org/wiki/Project:Hardened

https://source.android.com/devices/tech/security/selinux/index.html

http://www.all-things-android.com/content/selinux-android-and-samsung-knox


Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Alexander Kapshuk
On Thu, Jan 1, 2015 at 8:49 PM, James <[hidden email]> wrote:
Alexander Kapshuk <alexander.kapshuk <at> gmail.com> writes:


> Is SElinux something that the folk here would recommend using on a
> personal, rather than a production system? Or would you recommend
> using something else, if anything at all?

Difficult questions with no simple answer. Selinux is used in more places
than routine linux installations. Here is a bit of reading
on SeLinux, it is a sub-project of the Hardened project here at Gentoo and
it is very robust, but time consuming.


hth,
James

http://wiki.gentoo.org/wiki/SELinux

http://wiki.gentoo.org/wiki/Project:Hardened

https://source.android.com/devices/tech/security/selinux/index.html

http://www.all-things-android.com/content/selinux-android-and-samsung-knox



Thanks for the pointers.

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Marc Stuermer
In reply to this post by Alexander Kapshuk
Am 01.01.2015 um 18:01 schrieb Alexander Kapshuk:

> I was wondering if there was any harm in disabling the NSA SELinux
> support in my gentoo-sources based kernel.

It depends on your usage case (desktop or server) and grade of personal
paranoia.

I know a few administrators how think that enabling SELinux or similar
stuff (e.g. like AppArmor) should be today mandatory if installing
servers on the internet.

Then again your mileage may vary.

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Alexander Kapshuk
On Fri, Jan 2, 2015 at 10:03 AM, Marc Stürmer <[hidden email]> wrote:
Am 01.01.2015 um 18:01 schrieb Alexander Kapshuk:

I was wondering if there was any harm in disabling the NSA SELinux
support in my gentoo-sources based kernel.

It depends on your usage case (desktop or server) and grade of personal paranoia.

I know a few administrators how think that enabling SELinux or similar stuff (e.g. like AppArmor) should be today mandatory if installing servers on the internet.

Then again your mileage may vary.


Thanks for you input.

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

R0b0t1
> I was wondering if there was any harm in disabling the NSA SELinux support
> in my gentoo-sources based kernel.

There is no harm, but if you were interested a lot of packages come
with policies by default. Currently there is no support for SELinux in
Gentoo for the vast majority of desktop applications. It is a little
bit of work to get anything nonfunctional working. There are
additional modes where you can simply run your user as unconfined and
any services will be restricted by SELinux. grsecurity's RBAC is an
alternative where you simply let it generate a policy based on what it
sees you use.

Notably, Fedora and CentOS enable SELinux by default.

> SELinux is the only one I've had a bit of experience with - I run CentOS
> (SELinux is enabled by default) for some personal-use-only services that
> I want to run without dealing with Gentoo. My first step in a CentOS
> install is to disable SELinux (and the firewall, hehe) to avoid dealing
> with the pain of wading through documentation for hours on end.

http://stopdisablingselinux.com/ - your distribution probably comes
with policies for everything you want to install, anyway...

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Alec Ten Harmsel

On 01/04/2015 09:47 AM, Sid S wrote:

>
>> SELinux is the only one I've had a bit of experience with - I run CentOS
>> (SELinux is enabled by default) for some personal-use-only services that
>> I want to run without dealing with Gentoo. My first step in a CentOS
>> install is to disable SELinux (and the firewall, hehe) to avoid dealing
>> with the pain of wading through documentation for hours on end.
> http://stopdisablingselinux.com/ - your distribution probably comes
> with policies for everything you want to install, anyway...
>
>
>

Thanks for this link - I'll watch that video later this afternoon I think.

Alec

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Erik Mackdanz
In reply to this post by R0b0t1
Sid S <[hidden email]> writes:

> your distribution probably comes
> with policies for everything you want to install, anyway...

...until it doesn't, and then what?

I attempted a full conversion a few months back, and was ready to make
some commitment to getting SELinux to work on my personal laptop.  I got
as far as Permissive mode, with a firehose of access violations in the
auditd log.  I had written a couple of scrappy policies to authorize a
few small one-off violations, with the help of audit2allow, but the
firehose was still gushing.

I use offlineimap for fetching mail, which doesn't have a policy.  Now,
if I ever wanted to switch from Permissive to Enforcing, I was required,
as an absolute SELinux n00b, to write a full policy for a non-trivial
mail application.  This is when I turned around.

I could have half-assed it with audit2allow, but security-wise that's a
cop-out.

Inevitably, there will always be some program I want to use with no
existing policy, and I'll constantly have this problem.

I realized that my personal workstation is a place I like to try lots of
software (don't we all like that about Linux?), and SELinux can be a big
wet blanket on the fun at any time.

I'd like to find a middle ground, and it might be Targeted mode (I was
attempting Strict).  Or, it might be a different system like AppArmor.
--
Erik Mackdanz

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

R0b0t1
> ...until it doesn't, and then what?

The comment was slightly off-topic and mainly pointed towards his
decision to disable SELinux on a distribution which had enabled it by
default. On Gentoo, if you enable SELinux, see all of the AVCs and
decide to nope right out of there, you are making an informed decision
(by virtue of needing to learn a great deal about SELinux to set it up
in the first place).

> I could have half-assed it with audit2allow, but security-wise that's a
> cop-out.

I'm not sure it's a complete cop-out as long as you read the
suggestions audit2allow is making. The policy you end up with will not
be ideal and will certainly be full of holes, but at least you are
somewhat aware of the risk a given service is to your system.

> I'd like to find a middle ground, and it might be Targeted mode (I was
> attempting Strict).  Or, it might be a different system like AppArmor.

Yeah, my ending suggestion was to run in targeted mode (if you wanted
to bother with SELinux at all) but that mainly serves as a workaround
for Desktop-oriented stuff. Containers or virtualization are also
options.

Reply | Threaded
Open this post in threaded view
|

Re: NSA SELinux kernel support

Alec Ten Harmsel
In reply to this post by R0b0t1

On 01/04/2015 09:47 AM, Sid S wrote:
>
>> SELinux is the only one I've had a bit of experience with - I run CentOS
>> (SELinux is enabled by default) for some personal-use-only services that
>> I want to run without dealing with Gentoo. My first step in a CentOS
>> install is to disable SELinux (and the firewall, hehe) to avoid dealing
>> with the pain of wading through documentation for hours on end.
> http://stopdisablingselinux.com/ - your distribution probably comes
> with policies for everything you want to install, anyway...
>

Sid, thanks again. I've just remembered a couple public-facing servers I
administer that run CentOS and I think it's about time to spend an hour
or two learning SELinux for at least the one that runs Redmine.

Alec