Red Hat Boosts SELinux With RHEL 5

E. Stride writes "Many IT managers find Security Enhanced Linux, or SELinux, to be wildly complex. The mandatory access controls originally developed by the NSA have developed a reputation for being too complicated to deal with, and many IT shops simply turn the feature off. However, Red Hat's Dan Walsh says it's the only way to ensure 100% protection in the data center."

100%?

[mkro]

There will never be a 100% protection. A good GUI with a wizard, like with SUSE's AppArmor, will help a lot of people from falling between the "naah, it broke something on my webserver, turning it off" and "I'll dedicate the two next months of my life to learn SELinux" chairs.

Re:100%?

[weapon]

I run fedora and on *many* message boards I see the first trouble shooting idea is to turn off SELinux. What most people forget is that you can set SELinux to be permissive, so it is still turned on, and it lets you know when applications would be doing something that would be prevented. I think changing to permissive mode SELinux is more useful than turning it off as it lets you know what applications are misbehaving. I think part of this problem is that previously there has been no easy way to look as SELinux messages and manage the policies.

The main disadvantage of AppArmor is that it relies on file paths, not the inodes. All you need to do is be able to create a hard link in the right directory to get around it.

Re:100%?

[CajunArson]

100% agree that there is no such thing as 100% protection. I think both SELinux and AppArmor are great things (I did my MS thesis (woefully out of date) on Domain & Type enforcement which is one of the major systems (along with RBAC & Bell-Lepadula/Biba) in Mandatory Access Control (MAC). The SELinux approach is (usually) a more 'pure' variety in that it encompasses the entire system, all of the namespaces in the system in one setup. When I say 'namespace' think of that scene in the Matrix when Neo can't open his mouth to make a phone call..... Tell me Mr. HAcker, how are you going to steal my passwords when you can't even name the /etc/shadow file? SELinux will allow policies where even the root user (under certain contexts) cannot screw with the system. This can make administration harder like in some SELinux setups you literally have to login as root from the physical console to have full access, su'ing to root or SSHing in as root will not get the same privileges. In the most extreme cases, an SELinux policy could literally require you to reboot the box off of a rescue CD to get full access to certain files. The controls are extremely fine grained and very powerful, but potentially cumbersome.
      AppArmor's main approach is somewhat less broad. It is more like putting certain applications into a MAC container to limit what an application can do, no matter who the user using the application is. A great example of this that most Slashdot readers should look into is putting the browser into a safety container. I've been using Linux since right before 2.4 came out, and I can't count the number of times I've heard 'Linux is more secure because even if your account gets hacked the system isn't hacked' While there is certainly truth to that from the perspective of the full system, it fails to mention that the only data I actually give a rat's ass about is the data in my account, I can always get the rest of the crap from CD/downloading! AppArmor can help fix this by saying: Hey Firefox, just because you are running as user CajunArson, you DON'T get to do everything CajunArson can do, we will only let you operate on some files, and you can't get full access to his data, you can't fork/exec any ol' program that CajunArson can, and in general you are limited to doing what you are supposed to do: Browse the Web. The underlying concepts are still based on the MAC used by SELinux, but the implementation, while not as air-tight theoretically, is also easier to adjust. If there is something I really need firefox to do that the profile will not allow, AppArmor makes the process of tweaking the security easier than SELinux in general (although RedHat could be working on better SELinux tools to fix that).
    Sorry for the long post, but remember: the next time someone says Linux is more secure than Windows, remember that things like SELinux and AppArmor really are what make it better, not just because it has a mean looking penguin!

Re:100%?

[Niten]

Good GUIs are a wonderful thing, but I want to emphasize that SELinux isn't really all that difficult to begin with. High quality SELinux rules shipped with solid distributions such as RHEL 5 eliminate many of the problems that early adopters faced; indeed, that's more or less the subject of this article.

Many people (such as myself) consider SELinux much less of a "patch job" than AppArmor. For instance, with AppArmor security attributes are not stored with the filesystem inodes, but are specified according to path name. That might simplify AppArmor's implementation a bit, but consider what happens to the security policy when you have two different path names hard linked to the same inode...

Those of us who are partial to SELinux's implementation of mandatory access controls are thrilled to see the strides that Red Hat has made in their latest enterprise release.

Re:100%?

Permissive mode is only useful for policy development. The kernel does not enforce the security policy in permissive mode so it is no more secure than turning it off.

Enforcing mode = Security policy decisions are enforced, policy violations are logged.
Permissive mode = Security policy decisions are not enforced, policy violations are logged.
Disabled = Security policy decisions are not computed.

Re:100%?

[BigBuckHunter]

Permissive mode is only useful for policy development.

I wholeheartedly agree.
Step 1: Install RHEL, disable SELinux
Step 2: Install and configure your stack (apache, jboss, tomcat, mysql, whatever)
Step 3: Enable permissive mode, light up the stack, watch logs
Step 4: Tweak the rules, repeat step 3 until the logs are clean.
Step 5: Enable Enforcing Mode

You can now rest a little bit easier knowing that you have SELinux enabled. The only drawback is that you sometimes have to repeat the process as new versions of your stack are released (mysql, jboss). It's basically a monthly process.

BBH

Re:100%?

[sirambrose]

The problem in using a selinux system is when most of the software on the system is custom written or custom configured. Although I believe that the using the common combinations of web servers and database servers are easy to combine now, I can easily imagine wanting my web application to do things that are prohibited by policy. Customizing selinux looks somewhat challenging. If you just run a standard mail server or something it is probably great.

Everybody says that app-armor sucks with hard links, but I just don't see it. If your configuration looks like

allow all
deny read,write /root/mysecretfile

then you have a problem with hard links, but it isn't relevant. In that case you have already decided to try to solve the impossible problem of listing every important file on the system. Anyone interested in security would write:

deny all
allow read /etc/daemon.conf
allow read,write /var/daemon/data

Then I don't have to attempt to list all the secure files on the system. All I have to do is decide what I want to grant the daemon access to. If there is a hard link to /etc/daemon.conf, the program can't read it and shouldn't be trying to read it anyway.

Storing the labels in the filesystem only works if you are the distribution maintainer. If all the programs that create a particular kind of file don't agree on the label, the on-disk labels can get messed up. The simple config file in app-armor allows easy auditing.

That said, I like the possibility of securing dbus and X with the same framework as the filesystem. I'm hoping that we will see a document file access daemon for linux that allows the user to securely load and save files from a sandboxed firefox or openoffice process. Until selinux gets used for this type of desktop security instead of just network daemon security, the added power of selinux is mostly useless.

SELinux is a good thing

[pembo13]

It can save a system from being compromised due to other services which are either weaker, or poorly configured. Taking some time to get SELinux working properly in ones production environment (if that system is important) is more than worth the time it takes to read up on it. Being a lazy sys admin rarely pays off in the long run.

Re:SELinux is a good thing

[garett_spencley]

But it all really boils down to your needs.

For example, consider the typical LAMP server (linux + apache + mysql + php) that hosts a web application. What does it need to protect ? It needs to protect the database with all the user data, the publicly accessible html documents and php scripts and possibly the log files.

You may also argue that it needs to protect the overall system from compromises involving using the system as a zombie or irc server etc. but in that situation a well managed server could simply have the software reinstalled. If the admins are competent and have access to spare servers they could configure the replacement machine and do a swap without incurring any downtime at all.

In this situation SE Linux might just be total overkill. The extra paranoid could have the publicly accessible html docs + php scripts on a read-only partition. This is a production environment we're talking about so the need to upload new documents will only be when upgrading software versions. If the web application allows users to upload data then that will need to be handled separately. A cron job could change file permissions on newly updated documents so apache no longer has write access. The log files can be moved to a separate location once per day when they're rotated where apache (or any other services) don't have access to them. MySQL can run chrooted, only bind to 127.0.0.1 and the database files can only have read/write access from the mysql user. Daily, or even hourly, backups of the database to read-only media can be implemented. This is on top of running an intrusion detection system, installing security updates asap, and doing all of your other post-install locking down before the network cable is even plugged in to the machine (setting up your ssh keys, firewalls, uninstalling unnecessary software - including compilers - and obviously unused daemons and anything else the paranoid admin does before the machine goes live etc.)

We're already talking about way more security than most LAMP based servers out there.

I agree that the setup could still benefit from SE Linux, particularly for the database since it's still the weakest link and one of the areas in the most need of protection. MySQL needs to read/write to the database on a regular basis and so you need to allow write access to the data files, trust your software, trust your mysql binaries (all binary files and static config files can be on read-only partitions) and nothing is preventing a root process from changing the file permissions or corrupting the data. However, for most people this setup would be more than adequate and SE Linux would be total overkill.

100% Secure

[whterbt]

Ignoring for now that nowhere in the article does he claim that SELinux provides or is required for "100% security", there's no such damn thing. Unless you pull out the power cord, of course.

Yes, we disable SELinux at our shop. As the article mentions, it's a pain in the ass, and the tools to manage it are not mature enough. If all you have is RHEL, and you have nothing else to do, you can look at configuring it. If you have a bunch of corporate mucky-mucks breathing down your neck, and you have to get the latest version of GnuWhatever compiled for 5 different OSs, there's no time to deal with this nonsense.

SELinux probably works just great for what it was designed for - NSA top-secret systems. There's always a tradeoff between security and usability, and right now, SELinux is just above yanking the power cord.

Re:just how good is this?

[sammy+baby]

The short version: it's very good. But a huge pain in the ass.

The slightly longer version: IPtables is about network access, firewalls, et cetera. SELinux is about ensuring the integrity and access rights of software on your system. It's designed to prevent, say, one process on your machine from overwriting a file it should be able to. There's a pretty good explanation of exactly what it buys you here. (Warning: government site. They're watching youuuuuu!)

The problem with SELinux is that up until recently it has been a royal pain in the ass to configure. You'd go, "Sure, this sounds like a good idea", turn it on, and then curse it roundly when you tried updating MySQL from the version that ships with RHEL to the most recent supported release from MySQL. As a result, most folks just turned it off - they figured it wasn't worth the hassle.

RHEL 5 apparently includes tools (see the article) for figuring out what's wrong with your SELinux configuration. Definitely worth looking into. But if you're not concerned with validating application integrity on your home box... and let's face it, it's a home box... probably not worth it for you until it becomes dead simple.

Just disable it for certain apps

[KidSock]

For those who may not fully understand what SELinux actually does, let me give you an example.

With SELinux enabled, by detault Apache will be prevented from accessing files other than those of very basic web apps, it cannot open sockets to other hosts, etc.

For IntErnet applications this is quite reasonable and with the machine on the most hostile network around you really should use SELinux. It won't stop a break in but it can seriously curtail the effects of one.

For an IntrAnet application that is trying to write to custom log files and talk to LDAP servers and such, SELinux is not going to let you do that. At this point you have two choices - 1) tweek SELinux properties to allow only the specific functionality required by the application or 2) disable SELinux for that entire application. Considering an IntrAnet affords some physical protection, SELinux is less important in that environment and therefore, in this scenario, if you're really not savvy with SELinux and you don't have the time to get into it, I recommend just disabling it for entire application using it.

For example, to disable SELinux just for Apache you do:

# setsebool -P httpd_disable_trans 1
# service httpd restart

Note that SELinux uses db files that remember these changes so they will persist across reboots and there are no config files to edit. It's a nice system because it's easy to add these commands to install scripts and such.

So don't get bent about SELinux. Learn enough to disable it for specific apps and then turn it on all over. Keep an eye on the log files. If SELinux is stopping access to things by apps it will report it in the log file. Then determine if the app should be doing that and if so disable SELinux just for that app.

Re:SELinux is a problem

[farkus888]

saying that you can't install things while selinux is running is a flaw of selinux is like complaining about needing to be root to install things. its job is to keep shit from changing, changes like installing mysql could be done while it was running it wouldn't be doing its job. disabling it long enough to make changes is just like su or sudo to get temporary root access inside your normal user environment.

disclaimer -- I may be completely off base because I don't use it in a production environment, I disable it during install whenever putting a fedora box up for use.

Less complex alternatives exist to SELinux.

[liftphreaker]

Whatever Redhat says, the fact remains that SELinux is an incredibly complex, and incredibly undocumented (or under-documented) piece of software. It took me two months to really understand how it worked and what exactly to configure when I needed to fine-tune access rights and permissions on our servers. That is a nightmare I wouldn't wish on anyone.

Redhat is not going to get much traction from this unless there is a very easy to use tool (preferably with GUI) to configure and customize SELinux, out of the box. The default tools on RHEL allow a few options during install time, but it is truly primitive.

There really doesn't need to be this huge love/hate relationship with SELinux, in fact why not just throw it out and use something far simpler and neater? There are several options out there. Off the top of my head I can think of GRSEC : http://www.grsecurity.net/

We've been using this on two of our server farms and it's been doing a superb job, and it is very very easy to customize compared to the SElinux nightmare.

Re:AVC (server) = UAC (desktop)

[Volante3192]

Very off topic, but I was just thinking...

windows with it's constant prompts to do stuff while performing the same task gets very annoying and will quickly train the user to just click the allow, rendering it practically pointless.

Clearly, in order to make users think about this, a 5 second delay has to be introduced before the Allow/Deny buttons are active...

Re:just how good is this?

[g1zmo]

It's designed to prevent, say, one process on your machine from overwriting a file it should be able to.

Yeah, that pretty much sums up my experience too.

example: text relocations

[r00t]

Common problem: you built a library (a *.so file) without compiling all the object files (the *.o things) with gcc's -fpic or -fPIC option, and/or you forgot to specify -shared when linking.

When you make this kind of screw-up, you cause something called "text relocations". These don't even work on non-x86 and Debian bans them anyway for reasons related to memory usage. A text relocation means that the loader patches the code itself, rather slowly, when loading the shared library. This requires memory to be both writable and executable, which is a no-no for security against buffer overflows. SE Linux is usually set up to prohibit this by default.

If your broken shit runs as a server or gets loaded into a web browser, you greatly decrease security. You suck. Fix your shit.

I'm a developer too. I've upped my standards. Up yours!

AppArmor

[hweimer]

AppArmor's main approach is somewhat less broad. It is more like putting certain applications into a MAC container to limit what an application can do, no matter who the user using the application is. A great example of this that most Slashdot readers should look into is putting the browser into a safety container.

Some time ago, I wrote a review of AppArmor, finding that it solves problems that don't exist. Looking at your browser example, the functionality provided by AppArmor can be implemented completely by setting up a different user and setting appropriate file ACLs.

For the real problems AppArmor provides little help. Can you confine network usage of a program, meaning your internal network cannot be accessed once your browser has been hacked? No. Can you limit the syscalls a program may use, reducing the risk of successful kernel exploits? No.

As long as it stays this way, I recommend to everyone to use SELinux, even though it is much more difficult to setup and configure.

Both right

[Tom]

Why's there a "however" inbetween. It's both right. SELinux is complex and hard to understand. Heck, I should know I've given speeches at half a dozen conferences about it. And at the same time, it is the most secure option Linux has at this time.

Yes, there are alternatives.
Yes, some of them are easier to understand.
No, none of them give you the level and sophistication of SELinux, not even close.
No, that's not likely to change very much. Security is hard to do.