Stupid advice and some of my own ideas
I was afraid I would hear about that some day, but hoped I never would.
But of course the day came that I finally had to read about a company suggesting to turn of SELinux in order to fix a problem running their software.
Joshua Brindle, SELinux-developer at Tresys reported it in his blog: "Software not working? Disable SELinux."
Not only that the unnamed company suggests that he should disable SELinux completely to run their software (reducing from enforcing-mode to permissive-mode also would have done the trick), the problem, as Joshua finally figured out wasn't even related to SELinux... They just hear he's using SELinux and suggest to disable it completely, without any research of the problem.
What are security-extensions like SELinux or also AppArmor good for when companies that have obviously no idea what they're talking about suggest to turn them off when people have problems using their software? And for sure there are enough users that even follow that stupid advice.
But there are also companies who support users who have problems with their software on systems with SELinux, like SAP. They show in a blog-entry how to create a policy-module that will help using SAP with SELinux.
In my opinion SELinux is a big and important step in the right direction. Especially because modern operating systems still implement the most stupid idea in computer security: Default Permit.
Novell's AppArmor isn't much different either, and also SELinux in targeted-mode doesn't do very much about it either.
But SELinux in strict-mode is. With this you can turn over your Linux from "Default Permit" to "Default Deny"; only what's allowed by the policy will be executed, everything else will be blocked.
And this is exactly the right way. You're supposed to know what's doing what on your box, and therefor it should be possible to put this into a ruleset, or as it's called with SELinux, a policy. Of course this can be cumbersome since a modern Linux-system comes with a lot of applications which work together in various ways. And all of this can be covered by SELinux.
So, I think the short term target should be having SELinux implemented in more distros. Red Hat already does it, they have SELinux on (in targeted-mode, but at least enforcing) by default in Red Hat Enterprise and in Fedora. Also a few others already use it by default, like EnGarde Secure Linux, or at least offer the option to install it, like my EasyLFS (which will also enable it if it's installed, like Fedora in targeted-mode, but enforcing; and I work on offering strict-mode).
Novell on the other hand thinks that SELinux is too complicated for it's customers. And instead of contributing tools to make configuring SELinux easier they bought Immunix and now ship their distros (Suse Enterprise and OpenSuse) with the already mentioned AppArmor.
As said: AppArmor and SELinux in targeted-mode offer a similar amount of additional protection, but with AppArmor your already at the end of it's capabilities, SELinux still has strict-mode, which implements Default Deny.
Which leads us to our medium term target: Establishing strict-mode SELinux in distributions. If that's necessary for normal users is another question, but if it's done right he won't shouldn't even notice. For servers on the other hand having a system which is properly secured with SELinux in strict-mode should become mandatory.
If I have to install another Linux-server I will for sure use EnGarde Secure Linux, since they have a great SELinux-implementation and, as far as I remember, even offer strict-mode.
It should be expectable that a proper Linux-admin can deal with SELinux and enhance it's policies if necessary. It's actually not that hard, audit2allow already helps you a lot with this.
To sum it all up a little a small list with a just few points:
- You're developing applications for Linux and one of your customers/users has problems running your program? Don't ever suggest disabling SELinux. It's like suggesting to always leave the door open because the new air-condition doesn't work... Better try to work with the customer/user to create a policy which enables the use of your software with SELinux.
- Your a user and have problems using some software with SELinux? Don't ever listen to developers or supporters suggesting disabling SELinux! Insist on a proper solution. If necessary some unfriendly words about incompetence and lack of knowledge might help getting more than standard replies.
- SELinux is good, useful and important.
- Even AppArmor is useful but is restricted in comparison to SELinux. If you have the choice, better go for SELinux.
- Short term target: Establishing SELinux in all (established) distros. Except Suse of course, they will surely hang on to their own solution instead of supporting SELinux.
- Medium term target: Establishing SELinux in strict-mode in distros (for servers).
This is the first of so far three posts about SELinux and AppArmor. This one mostly focuses on SELinux, the next two will be about why SELinux is better than AppArmor.
Although I really believe that AppArmor's security isn't much help I already downloaded OpenSuse 10.2 and will try it this weekend to actually touch AppArmor instead of only reading about it.
My work on EasyLFS helped me to get a little experience with SELinux and I know it's not easy to manage, but it's getting better. And it's really not that hard.