Ridding myself of root passwords?
S. Dale Morrey
sdalemorrey at gmail.com
Thu Feb 6 12:13:06 MST 2014
My experience is that SELinux gets in the way far more than it helps. I'll
be the first to admit I'm hardly a pro with the tool. However I do have
some serious doubts as to the efficacy of a tool that blocks a daemon's
behavior that was given explicity consent to start and run by root. In my
opinion SELinux is the TSA of the admin world.
I'll detail an example. When I was in Ecuador I setup a VOIP system for a
community that had cheap broadband but super expensive phone service.
CentOS was the logical choice for a server and I built the thing on top of
Asterisk. Asterisk is a well known app. It does certain things and there
is a specific reason for it doing what it does. Everyone who runs an
asterisk box pretty much has to already know what it's doing and why or at
least be trying to learn.
Nevertheless, nothing I could find would allow it to start. Period. I
tried everything and that includes coming on this list and starting the
last argument we had on SELinux because thanks to you guys I was able to
figure out that SELinux was what was preventing it from running.
The solution at that time was to disable SELinux, or at least tell it to
allow this process to do whatever it wants. Thus if asterisk were to be
compromised, SELinux would let it do whatever it wants. Which in my mind
is the exact same thing as not having SELinux at all.
A tool like SELinux really needs to be more intelligent. Adding a "study
what this process does" mode and allowing it to learn the norms of the
process would in my mind justify the hassle of going in and telling it
"yeah sorry daemonX was supposed to be able to do that particular thing" on
the rare occasion that a daemon does change behavior by design.
Think about it the same as SSH. When you connect to a server for the first
time you get a warning "This server's fingerprint is untrusted". If you
allow it to connect then from there on out it allows you to connect until
the cert changes at which time it starts denying until you force it to
Until SELinux smartens up a bit, I think I'll continue to use an airgap as
the best security measure and where that isn't practicle, keep seperate
business processes on seperate physical boxes and tied only in as much as
they actually need to communicate with one another.
As to your analogy about a house door, SELinux doesn't do anything of the
sort. You're analogy would be more akin to SSH and passwords vs certs
argument we've got going on in the other thread.
A better analogy would be along the lines of, "Do I really want to my
paranoid schizophrenic uncle who is also really smart, but lives in the
attic, tossing out my house guests each time they try to run upstairs to go
to the bathroom?"
On Thu, Feb 6, 2014 at 11:47 AM, Levi Pearson <levipearson at gmail.com> wrote:
> On Thu, Feb 6, 2014 at 11:18 AM, S. Dale Morrey <sdalemorrey at gmail.com>
> > Process was running as an unpriviledged user.
> > I'm guessing SELinux might have helped but in as we discussed before I
> > it habit to shut that off because 99% of the time it's just in my way.
> > Many, many times the only solution to a daemon not launching is
> > 0" or some other "let's shut off selinux" type of answer, to the point
> > disabling it is one of the first things I do. I can't have security
> > getting in the way of usability all the time like that.
> Yup, security is often inconvenient. But how often do you think,
> "Man, locking my door is a pain. When I get home and it's cold out
> and my gloves are on, it's so annoying to have to take them off to
> fish the key out of my pocket and unlock the door. And when my hands
> are full with groceries, I have to set them down too, and then pick
> them back up. You know what? I'm just going to leave my door
> unlocked. Locking it *really* inhibits its usability. And having to
> turn the doorknob is a pain, too. I'm just going to switch to a
> friction catch so I can push it open with my foot."
> Probably you should take the time to learn how SELinux or some similar
> tool works, and then using it would no longer be so inconvenient.
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG